To use the wifi at my university, you must install a CA root certificate by them

Question

To use the wifi at my university, you must install a CA root certificate by them. In my case, I am using a Mac computer with a VPN installed.

I'm curious, what can they see me do on my computer by forcing me to install their certificate? Can they see my login information to websites? Can they see what websites I visit, even though I'm using a VPN? If so, is there anything I can do to prevent this. I do not know much about certificates, so it caught my attention.

Also, they use Googles DNS 8.8.8.8 and a couple DNS's that start with 208.

Thanks for any information.

Explanation / Answer

From your description, you don't seem to have installed a new CA at all; you accepted a certificate to authenticate the wireless network, or accepted an already-installed CA to verify certificates to authenticate that network. This is not a security risk; it's fairly normal, does not let the university sign their own certificates, and does not let them impersonate websites. All it does is verify the identity of the server that processes your credentials that you used to log on to the wireless network.

Some background: Many universities use WPA/WPA2 Enterprise security, which involves logging in to the wifi network with your university username and password (entered into the wifi client, not a web browser). In such cases, the authentication server (called a RADIUS server) needs to verify its identity, which it does with a certificate, just like for websites.

For websites, a CA can verify a certificate for a particular domain. However, there's no good way to do that for RADIUS servers; I might have a legitimate certificate for radius.cpast.com, but that doesn't mean you should trust my RADIUS server when connecting to SchoolWifi. So, it's pretty common to be prompted to manually accept the certificate for the wireless network. This is not a security risk; you aren't accepting a university-controlled CA, you're accepting a particular certificate for that specific wifi network.

(Windows does it a bit differently: you do accept a (already-installed) CA for the wireless network, but it also remembers the RADIUS server's domain, so trying to pass off radius.cpast.com for SchoolWifi wouldn't work because Windows would only accept certificates for radius.school.edu and from a particular CA that the user accepted when first connecting).

So it's not unusual to get a certificate prompt, and it's not generally a security risk to accept it.

EDIT: With your comments, it's even clearer that this is what's happening. Thawte is a generally trusted CA; common browsers and OSs already trust it to verify a website. It comes preinstalled on your computer, because Apple trusts them. However, it is not trusted to verify a RADIUS server by default, so you're manually accepting the school's certificate.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.