3

Recently, my school's administration announced some network changes. Should I want to use the school's WIFI, I'd have to download an SSL Certificate to my MacOS (High Sierra v.10.13.1) I'll admit that I have limited knowledge of what this all means. I'm afraid that this will enable them to access my private information and search history. Is that the case? Can they see what I am doing when I am not connected to their wifi through a SSL Certificate? Please excuse my ignorance :)

  • 3
    Is it a client certificate, i.e. is it user-specific (similar to a password, it enables you to access the network)? – Luc Apr 18 '18 at 23:40
  • 1
    @Luc's questions need to be answered before we can give more information. But mostly likely a certificate alone will not allow the school to view internet history and/or private information. It is most likely authentication method either for the network or for a website. – JBis Apr 19 '18 at 00:12
  • To help answer that, where did you install it on your system? – multithr3at3d Apr 19 '18 at 00:17
  • not your history, but certainly your current activity. – dandavis Apr 19 '18 at 00:30
  • 1
    This could be a private CA certificate if - when installed and trusted - allow the schools web proxy to fake https sites. So this especially allows to snoop into all (secured) web traffic. – eckes Apr 19 '18 at 01:12
  • 2
    Alternatively, it could be a certificate for EAP authentication. Without knowing more, no way to answer OP. – David Apr 19 '18 at 01:19

1 Answers1

0

As alluded to by many of the comments on your question, the information you provided isn't enough to give a definitive answer, but here's my guess being that I am very familiar with typical campus infrastructure.

Your school likely has their own CA (certificate authority) that they use for various services on their network. Since they made the CA (and its not that widely used), your device doesn't recognize the CA and doesnt trust it. In order for your device to trust the school's CA, you need to install the certificate. Since you are required to install the CA certificate to use the wireless, my guess is your campus is using WPA2-Enterprise with RADIUS authentication using PEAP and MSCHAPv2 (pretty common). The P in PEAP stands for protected, in this case using a TLS (the new fancy term for SSL :P) to protect the communication being transferred. This does NOT give the university any direct access to your device whatsoever. This will merely allow you to connect to their network which may have monitoring ramifications (such as Deep Packet Inspection, location based on access point, Identifying your machine by the MAC address, etc) but this can occur on any netowrk regardless of the TLS certificate installation. The TLS certificate and CA install will not be adding any remote monitoring software or anything crazy like that.

SuperAdmin
  • 320
  • 1
  • 11
  • 1
    You sure that installing school's CA will not allow school to decrypt TLS traffic when they MITM it? – Luc Apr 19 '18 at 08:17
  • @Luc In this case no. The certificate installed would be protecting the user credentials sent to the authentication server be be granted access to the network. Connections to any web server is still end to end encrypted, and any non-secure traffic could be MITM’d regardless. However, this doesn’t mean they can’t MITM you. I suppose their DNS could be malicious or what have you, but this is not because of the RADIUS certificate. – SuperAdmin Apr 19 '18 at 12:49
  • "*this doesn’t mean they can’t MITM you*" But... but that's exactly what I'm asking: "allow school to decrypt TLS traffic when they MITM it" – Luc Apr 19 '18 at 14:28
  • @Luc Trusting a RADIUS certificate is not going to be using the certificate to MITM you. My point was that just because the RADIUS certificate isn’t doing it doesn’t mean it can’t be achieved by different means. There is more than one way to MITM traffic. – SuperAdmin Apr 19 '18 at 14:33