0

This is concerning an android device (not sure if that information helps, since Apple works differently).

When logging into a wifi network, there will be sections that ask for different information. One is to choose a certificate. The options for a certificate can vary between networks. Choosing a specific certificate would require downloading the certificate and a warning will appear saying the actions can be monitored.

For the option to “use system certificates”, what does that mean? Does that mean no certificate is being installed when connecting to that wifi network (I am just using the certificates my device already had prior to attempting to login to the wifi)?

I know certificates are used to make sure connection is secured mostly from hackers inspecting traffic. Not sure how that works when choosing the option of using system certificates.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dan
  • 27
  • 2

2 Answers2

3

Using system certificates means that the certificate of the WiFi must be signed by a CA that is trusted for everything on the system, i.e. also in the browser. This means the publicly-trusted CA we usually expect to see when surfing the web, i.e. certificates from Let's Encrypt and similar. There might also be a company-specific CA installed here.

It is common, though, that the certificate for the WiFi is company-specific and not signed by a public CA, and that the whole purpose of this certificate is to be used for authenticating the WiFi Access Point to the client - in which case, it makes sense to configure it for the specific WiFi and not include it in the system certificates. In general, this is the more secure option since it is more specific to what the client should expect. But since it needs the user to explicitly install a new certificate it is also the less user-friendly option.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • When trying to log into a certain wifi, I would see two options which are to not validate or to use system certificates. There are no certificates to choose for wifi that are specific to said company or location. Just have those two options. So I wanted to see what the system option entailed. – Dan Sep 11 '22 at 12:32
  • @Dan: More options are only shown if your have additional certificates installed for WiFi. If you don't have this you can only choose between validating with the system certificates or not validating at all. – Steffen Ullrich Sep 11 '22 at 13:10
  • Ok. Did not know about the additional certificates for wifi. If choosing the “use system certificates”, are the “contents” of my searches visible to the wifi admin? For example searches that have https or apps that are encrypted. Since I would be using certificates of my system rather than a specific certificate issued by the wifi in question. – Dan Sep 11 '22 at 13:38
  • @Dan: In short: No. In Detail: this is about certificates used for WiFi authentication, not for SSL interception. See [My school wifi asks to 'trust' a certificate on iPhones. Does this allow them to view SSL traffic?](/questions/178909) or [If I accept a certificate in order to use my company’s Wi-Fi, am I vulnerable to MITM attacks?](/questions/122846/) for more. – Steffen Ullrich Sep 11 '22 at 14:06
  • Thank you, that helped. – Dan Sep 11 '22 at 14:36
-1

The system certificate is more about authentication. In other words, you rightfully got on to the wifi, so your cert is used from there on out to authenticate you from a hacker. The certs on the other side are separate.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rob
  • 1
  • The question never mentions Let's Encrypt, so I removed that part. I'm really struggling to see how this answers the question. How does the system cert differ from using a specific cert? "The certs on the other side are separate." -- what 'side'? I think this needs a lot more explaining. – schroeder Sep 11 '22 at 08:37