Can my school see exactly what I’m doing?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

up vote
7
down vote

favorite

3

My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents of personal emails (not on the given .edu account) as well as our exact history?

The use of VPNs is not allowed

heres a picture of it for those who asked

Once you click on the certificates, it lists:

  • algorithm (rsa encryption)
  • parameters (none)
  • public key size (2048)
  • public key data (a lot of numbers and letters), and
  • fingerprints

Also, heres a picture of the WiFi

share|improve this question

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    Possible duplicate of My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

  • 1

    @SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
    – user71659
    yesterday

  • 1

    @user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 2

    @SteffenUllrich No. There’s different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you’re on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
    – user71659
    yesterday

  • 1

    @user71659: I don’t see any mention of a specific OS in the question and I don’t see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow – no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
    – Steffen Ullrich
    yesterday

up vote
7
down vote

favorite

3

My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents of personal emails (not on the given .edu account) as well as our exact history?

The use of VPNs is not allowed

heres a picture of it for those who asked

Once you click on the certificates, it lists:

  • algorithm (rsa encryption)
  • parameters (none)
  • public key size (2048)
  • public key data (a lot of numbers and letters), and
  • fingerprints

Also, heres a picture of the WiFi

share|improve this question

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    Possible duplicate of My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

  • 1

    @SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
    – user71659
    yesterday

  • 1

    @user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 2

    @SteffenUllrich No. There’s different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you’re on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
    – user71659
    yesterday

  • 1

    @user71659: I don’t see any mention of a specific OS in the question and I don’t see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow – no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
    – Steffen Ullrich
    yesterday

up vote
7
down vote

favorite

3

up vote
7
down vote

favorite

3
3

My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents of personal emails (not on the given .edu account) as well as our exact history?

The use of VPNs is not allowed

heres a picture of it for those who asked

Once you click on the certificates, it lists:

  • algorithm (rsa encryption)
  • parameters (none)
  • public key size (2048)
  • public key data (a lot of numbers and letters), and
  • fingerprints

Also, heres a picture of the WiFi

share|improve this question

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents of personal emails (not on the given .edu account) as well as our exact history?

The use of VPNs is not allowed

heres a picture of it for those who asked

Once you click on the certificates, it lists:

  • algorithm (rsa encryption)
  • parameters (none)
  • public key size (2048)
  • public key data (a lot of numbers and letters), and
  • fingerprints

Also, heres a picture of the WiFi

certificates wifi

share|improve this question

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

edited yesterday

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked yesterday

Mike

363

363

New contributor
Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Mike is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    Possible duplicate of My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

  • 1

    @SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
    – user71659
    yesterday

  • 1

    @user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 2

    @SteffenUllrich No. There’s different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you’re on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
    – user71659
    yesterday

  • 1

    @user71659: I don’t see any mention of a specific OS in the question and I don’t see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow – no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
    – Steffen Ullrich
    yesterday

  • 2

    Possible duplicate of My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

  • 1

    @SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
    – user71659
    yesterday

  • 1

    @user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 2

    @SteffenUllrich No. There’s different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you’re on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
    – user71659
    yesterday

  • 1

    @user71659: I don’t see any mention of a specific OS in the question and I don’t see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow – no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
    – Steffen Ullrich
    yesterday

2

2

Possible duplicate of My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
– Steffen Ullrich
yesterday

Possible duplicate of My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
– Steffen Ullrich
yesterday

1

1

@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
– user71659
yesterday

@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
– user71659
yesterday

1

1

@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
– Steffen Ullrich
yesterday

@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
– Steffen Ullrich
yesterday

2

2

@SteffenUllrich No. There’s different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you’re on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
– user71659
yesterday

@SteffenUllrich No. There’s different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you’re on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
– user71659
yesterday

1

1

@user71659: I don’t see any mention of a specific OS in the question and I don’t see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow – no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
– Steffen Ullrich
yesterday

@user71659: I don’t see any mention of a specific OS in the question and I don’t see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow – no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
– Steffen Ullrich
yesterday

3 Answers
3

active

oldest

votes

up vote
6
down vote

You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn’t a problem.

That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.

E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).

Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).

For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:

$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

which contains the information:

$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
                    af:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
            X509v3 Authority Key Identifier: 
                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

    Signature Algorithm: sha1WithRSAEncryption
         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
         95:95:6d:de

There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name “digicert sha2 secure server”. Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?

share|improve this answer

  • 2

    “I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 1

    Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
    – dr jimbob
    yesterday

  • “…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
    – Steffen Ullrich
    yesterday

  • It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
    – Daisetsu
    yesterday

  • 1

    @Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

up vote
2
down vote

Edit: Looks like I wasn’t right on this one. If the certificate is legit, then it is probably used for RADIUS auth. It’s great to learn new stuff, that’s why I’m on here. Thanks Steffen 👍

It’s likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.

This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.

The end result of this is they can see anything passed over a https “secure” connection.

You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you’re being intercepted.

This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.

share|improve this answer

  • 4

    Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
    – Steffen Ullrich
    yesterday

up vote
-2
down vote

If they want to then sure, all they have to do is track where incoming and outgoing data is going. Routers have a private and public IP the public IP is what anything outside of your network sees (You can find your public IP by typing “What’s my IP” in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.

So in theory all they have to do is use a program that logs all data packets on their network then they just get your MAC address from the computer and match it to the logs.

So in short anything on someones network that’s not protected by a VPN can and probably will be viewed at some point.

share|improve this answer

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
    – Daisetsu
    yesterday

  • 1

    Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
    – schroeder♦
    yesterday

  • This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
    – EvilBmo
    yesterday

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: “”.split(” “),
id: “162”
};
initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

StackExchange.using(“externalEditor”, function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using(“snippets”, function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: ‘answer’,
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: “”,
noCode: true, onDemand: true,
discardSelector: “.discard-answer”
,immediatelyShowMarkdownHelp:true
});

}
});

Mike is a new contributor. Be nice, and check out our Code of Conduct.

 
draft saved
draft discarded

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195255%2fcan-my-school-see-exactly-what-i-m-doing%23new-answer’, ‘question_page’);
}
);

Post as a guest

3 Answers
3

active

oldest

votes

3 Answers
3

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
6
down vote

You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn’t a problem.

That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.

E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).

Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).

For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:

$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

which contains the information:

$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
                    af:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
            X509v3 Authority Key Identifier: 
                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

    Signature Algorithm: sha1WithRSAEncryption
         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
         95:95:6d:de

There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name “digicert sha2 secure server”. Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?

share|improve this answer

  • 2

    “I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 1

    Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
    – dr jimbob
    yesterday

  • “…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
    – Steffen Ullrich
    yesterday

  • It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
    – Daisetsu
    yesterday

  • 1

    @Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

up vote
6
down vote

You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn’t a problem.

That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.

E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).

Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).

For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:

$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

which contains the information:

$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
                    af:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
            X509v3 Authority Key Identifier: 
                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

    Signature Algorithm: sha1WithRSAEncryption
         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
         95:95:6d:de

There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name “digicert sha2 secure server”. Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?

share|improve this answer

  • 2

    “I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 1

    Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
    – dr jimbob
    yesterday

  • “…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
    – Steffen Ullrich
    yesterday

  • It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
    – Daisetsu
    yesterday

  • 1

    @Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

up vote
6
down vote

up vote
6
down vote

You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn’t a problem.

That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.

E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).

Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).

For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:

$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

which contains the information:

$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
                    af:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
            X509v3 Authority Key Identifier: 
                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

    Signature Algorithm: sha1WithRSAEncryption
         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
         95:95:6d:de

There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name “digicert sha2 secure server”. Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?

share|improve this answer

You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn’t a problem.

That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.

E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).

Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).

For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:

$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

which contains the information:

$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
                    af:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
            X509v3 Authority Key Identifier: 
                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

    Signature Algorithm: sha1WithRSAEncryption
         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
         95:95:6d:de

There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name “digicert sha2 secure server”. Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?

share|improve this answer

share|improve this answer

share|improve this answer

answered yesterday

dr jimbob

33.6k676144

33.6k676144

  • 2

    “I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 1

    Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
    – dr jimbob
    yesterday

  • “…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
    – Steffen Ullrich
    yesterday

  • It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
    – Daisetsu
    yesterday

  • 1

    @Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

  • 2

    “I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
    – Steffen Ullrich
    yesterday

  • 1

    Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
    – dr jimbob
    yesterday

  • “…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
    – Steffen Ullrich
    yesterday

  • It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
    – Daisetsu
    yesterday

  • 1

    @Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
    – Steffen Ullrich
    yesterday

2

2

“I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
– Steffen Ullrich
yesterday

“I am unfamiliar with the certificate going by the name “digicert sha2 secure server” – this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
– Steffen Ullrich
yesterday

1

1

Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
– dr jimbob
yesterday

Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
– dr jimbob
yesterday

“…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
– Steffen Ullrich
yesterday

“…than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm …” – The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
– Steffen Ullrich
yesterday

It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
– Daisetsu
yesterday

It seems strange they would require him to install a legitimate intermediate certificate. I can’t think of a reason. Any ideas?
– Daisetsu
yesterday

1

1

@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
– Steffen Ullrich
yesterday

@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to ‘trust’ a certificate on Iphone’s, does it this allow them to view SSL traffic?
– Steffen Ullrich
yesterday

up vote
2
down vote

Edit: Looks like I wasn’t right on this one. If the certificate is legit, then it is probably used for RADIUS auth. It’s great to learn new stuff, that’s why I’m on here. Thanks Steffen 👍

It’s likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.

This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.

The end result of this is they can see anything passed over a https “secure” connection.

You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you’re being intercepted.

This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.

share|improve this answer

  • 4

    Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
    – Steffen Ullrich
    yesterday

up vote
2
down vote

Edit: Looks like I wasn’t right on this one. If the certificate is legit, then it is probably used for RADIUS auth. It’s great to learn new stuff, that’s why I’m on here. Thanks Steffen 👍

It’s likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.

This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.

The end result of this is they can see anything passed over a https “secure” connection.

You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you’re being intercepted.

This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.

share|improve this answer

  • 4

    Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
    – Steffen Ullrich
    yesterday

up vote
2
down vote

up vote
2
down vote

Edit: Looks like I wasn’t right on this one. If the certificate is legit, then it is probably used for RADIUS auth. It’s great to learn new stuff, that’s why I’m on here. Thanks Steffen 👍

It’s likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.

This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.

The end result of this is they can see anything passed over a https “secure” connection.

You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you’re being intercepted.

This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.

share|improve this answer

Edit: Looks like I wasn’t right on this one. If the certificate is legit, then it is probably used for RADIUS auth. It’s great to learn new stuff, that’s why I’m on here. Thanks Steffen 👍

It’s likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.

This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.

The end result of this is they can see anything passed over a https “secure” connection.

You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you’re being intercepted.

This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.

share|improve this answer

share|improve this answer

share|improve this answer

edited yesterday

answered yesterday

Daisetsu

1,913513

1,913513

  • 4

    Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
    – Steffen Ullrich
    yesterday

  • 4

    Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
    – Steffen Ullrich
    yesterday

4

4

Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
– Steffen Ullrich
yesterday

Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers – as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
– Steffen Ullrich
yesterday

up vote
-2
down vote

If they want to then sure, all they have to do is track where incoming and outgoing data is going. Routers have a private and public IP the public IP is what anything outside of your network sees (You can find your public IP by typing “What’s my IP” in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.

So in theory all they have to do is use a program that logs all data packets on their network then they just get your MAC address from the computer and match it to the logs.

So in short anything on someones network that’s not protected by a VPN can and probably will be viewed at some point.

share|improve this answer

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
    – Daisetsu
    yesterday

  • 1

    Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
    – schroeder♦
    yesterday

  • This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
    – EvilBmo
    yesterday

up vote
-2
down vote

If they want to then sure, all they have to do is track where incoming and outgoing data is going. Routers have a private and public IP the public IP is what anything outside of your network sees (You can find your public IP by typing “What’s my IP” in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.

So in theory all they have to do is use a program that logs all data packets on their network then they just get your MAC address from the computer and match it to the logs.

So in short anything on someones network that’s not protected by a VPN can and probably will be viewed at some point.

share|improve this answer

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
    – Daisetsu
    yesterday

  • 1

    Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
    – schroeder♦
    yesterday

  • This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
    – EvilBmo
    yesterday

up vote
-2
down vote

up vote
-2
down vote

If they want to then sure, all they have to do is track where incoming and outgoing data is going. Routers have a private and public IP the public IP is what anything outside of your network sees (You can find your public IP by typing “What’s my IP” in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.

So in theory all they have to do is use a program that logs all data packets on their network then they just get your MAC address from the computer and match it to the logs.

So in short anything on someones network that’s not protected by a VPN can and probably will be viewed at some point.

share|improve this answer

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

If they want to then sure, all they have to do is track where incoming and outgoing data is going. Routers have a private and public IP the public IP is what anything outside of your network sees (You can find your public IP by typing “What’s my IP” in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.

So in theory all they have to do is use a program that logs all data packets on their network then they just get your MAC address from the computer and match it to the logs.

So in short anything on someones network that’s not protected by a VPN can and probably will be viewed at some point.

share|improve this answer

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

edited yesterday

schroeder♦

66.3k25140177

66.3k25140177

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

EvilBmo

326

326

New contributor
EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

EvilBmo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

  • 2

    that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
    – Daisetsu
    yesterday

  • 1

    Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
    – schroeder♦
    yesterday

  • This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
    – EvilBmo
    yesterday

  • 2

    that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
    – Daisetsu
    yesterday

  • 1

    Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
    – schroeder♦
    yesterday

  • This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
    – EvilBmo
    yesterday

2

2

that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
– Daisetsu
yesterday

that’s not correct. Traffic encrypted via TLS in a normal situation wouldn’t be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
– Daisetsu
yesterday

1

1

Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
– schroeder♦
yesterday

Are you saying that if I use Gmail (which uses TLS), then the school would see the contents of the emails anyway? If this is what you are saying, then this is dead wrong. Yes, they will see that I’m using Gmail, but that’s not the question. You also do not address anything to do with the certs.
– schroeder♦
yesterday

This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
– EvilBmo
yesterday

This is what I said No I’m not Schroeder, I’m saying if they wanted to know his history then they would just look at the requests. As for the certs I’m not familiar with the program and decided not to speck on the matter and at least try to be nice, as a mod your job is to provide an quick and professional answer to the users of this forums not shut people down when they try to help. <Frowning Face>
– EvilBmo
yesterday

Mike is a new contributor. Be nice, and check out our Code of Conduct.

 
draft saved
draft discarded
Mike is a new contributor. Be nice, and check out our Code of Conduct.

Mike is a new contributor. Be nice, and check out our Code of Conduct.

Mike is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195255%2fcan-my-school-see-exactly-what-i-m-doing%23new-answer’, ‘question_page’);
}
);

Post as a guest

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *