6

Before you mark this one as a duplicate, I have indeed seen similar questions here but they do not provide the direct answer I'm seeking.

Here are a few details:

  1. I've taken google as an example because it uses SSL.

  2. I am using my own device on their wifi network, so there is no possibility of a fake CA being installed on my system?

  3. The padlock icon indeed is active, when I visit Google, and shows the correct certificate.

So, can I be sure that they are not able to see my Google searches?

techraf
  • 9,141
  • 11
  • 44
  • 62
ticktock
  • 61
  • 4

2 Answers2

5

Yes, given 1-3 you can be sure the connection is encrypted end-to-end between the browser and the server, and that a 3rd party cannot intercept the unencrypted message (without obtaining encryption keys through some other means).

techraf
  • 9,141
  • 11
  • 44
  • 62
3

First note that on most cases the network administrators will not watch your traffic, even if they could. So the following only outlines the ways administrators could in theory watch your traffic if they really want to.

I am using my own device on their wifi network, so there is no possibility of a fake CA being installed on my system?

You might not be fully aware what kind of CA certificates you already have installed and what can be done with these:

  • In Enterprise Wifi installations you often authorize against the Wifi with a username and password and authenticate the access point by validating its certificate. For this purpose you need to install the appropriate CA on your system. In many setups the use of this CA is not limited to authentication of the access point but it is installed globally on the system and thus could be used for SSL interception too. Such Wifi installations often can be found in universities too, for example eduroam
  • Several universities have their own intermediate CA which are based on a CA trusted by the browser. This is at least very common in Germany where the root certificate is Deutsche Telekom Root..., the next level is DFN-Verein... and then comes the university CA which then issues the certificates for systems owned by the university.

In the last case any of the intermediate CA's might issue a certificate for any server, even if they don't own it. Such misuse will be detected though when certificate pinning is used because in this case the expected public key of the certificate will not match the public key as seen by the issued certificate. Since some important sites like google are pre-pinned inside at least Chrome and Firefox it would be detected if these certificates are spoofed this way.

But in the first case pinning checks might be disabled because the CA was explicitly imported as trusted root CA and is thus officially allowed to do SSL interception. This makes sense in case of SSL interception for security reasons as done in firewalls and antivirus but probably not for CA's used to authenticate a Wifi access point. In this case it is much harder to detect such MITM because on has to verify the full certificate chain in the browser, up to the trusted root certificate.

I've taken google as an example because it uses SSL. ... The padlock icon indeed is active, when I visit Google, and shows the correct certificate.

It depends on what you consider a "correct" certificate. If you check only that the certificate was issued for the correct site then this might not be enough. If you instead checked the full chain up to the root or if you've checked the fingerprint of the certificate against a known good fingerprint then you are probably safe, at least for this specific site. But even if a specific site like google does not get intercepted does not mean that all the other sites are not intercepted either because such interception can be done selectively.

So, can I be sure that they are not able to see my Google searches?

Even if they do not intercept the SSL connection and thus cannot see directly what kind of searches you do they see what sites you've visited (at least domain, even with https) and at which time and can infer from this what you might be looking for. Also some search engines (not google though) put the original search string in the Referer of the HTTP request when you click on a search result and thus the target site can see what you've searched for. And if the request to the target site is either not done with https or SSL interception was done then the university could in theory also sniff this HTTP request, extract the Referer and have your original search query.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • By "If you instead checked the full chain up to the root..." did you mean this? http://imgur.com/a/7ZbnG – ticktock Sep 05 '16 at 06:40
  • @ticktock: yes. And also check that the root is a pre-installed one and not some other which claims to have the same subject (unlikely but possible). – Steffen Ullrich Sep 05 '16 at 07:24