0

My college uses eduroam for WiFi. When setting it up, I am advised to install the college's own CA certificate. I am dubious about this as I have heard that it would allow them to perform a MITM attack and read the contents of my HTTPS traffic, which I am naturally uncomfortable about.

I am using an Android phone and a Windows laptop on the WiFi, neither of which are from the college.

The WiFi also works if I choose the "Don't validate" option under the CA certificate section when setting it up. With this method, I can still use the WiFi, and I don't have to install any certificates.

Is this second method any more secure than with the college's CA certificate? Or is it less secure? I feel like this is a lose-lose situation if they can read the contents of my HTTPS traffic with the second method.

Sister Mollie
  • 1
  • Are you actually installing the CA certificate in the phone's certificate store, or just using it to verify the wireless provider? – user Nov 01 '21 at 20:12
  • @user It has to be installed. There's an app that does it and it requires storage access to do so. – Sister Mollie Nov 01 '21 at 20:14
  • WRT `Or is it less secure?` - It might be. It's possible that the reason they are asking you to install their cert is so that they can MITM the connection, so that they can to deep packet inspection, so that they can protect you from viruses, malware, etc. – mti2935 Nov 01 '21 at 21:01
  • 6
    Does this answer your question? [Eduroam requires installation of a CA Certificate - can they decrypt TLS traffic?](https://security.stackexchange.com/questions/229645/eduroam-requires-installation-of-a-ca-certificate-can-they-decrypt-tls-traffic) – user Nov 01 '21 at 21:08
  • @SisterMollie Instead of using some app to install it, I would suggest following [UCSC's](https://its.ucsc.edu/wireless/eduroam-manual-config.html) instructions for installing the certificate, making sure to select Wi-Fi for credential use. According to Angel's answer, that should prevent Android from allowing that certificate to be used to MITM your HTTPS connections. – user Nov 01 '21 at 21:11

0 Answers0