Can my school see exactly what IâÂÂm doing?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents on personal emails (not on the given .edu account) as well as our exact history?
Edit: also the use of VPNs are not allowed
wifi
New contributor
 |Â
show 1 more comment
up vote
3
down vote
favorite
My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents on personal emails (not on the given .edu account) as well as our exact history?
Edit: also the use of VPNs are not allowed
wifi
New contributor
Possible duplicate of My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 hour ago
@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
â user71659
1 hour ago
@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
â Steffen Ullrich
59 mins ago
@SteffenUllrich No. There's different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you're on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
â user71659
54 mins ago
@user71659: I don't see any mention of a specific OS in the question and I don't see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow - no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
â Steffen Ullrich
47 mins ago
 |Â
show 1 more comment
up vote
3
down vote
favorite
up vote
3
down vote
favorite
My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents on personal emails (not on the given .edu account) as well as our exact history?
Edit: also the use of VPNs are not allowed
wifi
New contributor
My school requires us to install digicert global root CA and digicert sha2 secure server to access to the secure and guest WiFi onto our personal devices. Does this mean that the school can see the contents on personal emails (not on the given .edu account) as well as our exact history?
Edit: also the use of VPNs are not allowed
wifi
wifi
New contributor
New contributor
edited 1 hour ago
New contributor
asked 2 hours ago
Mike
162
162
New contributor
New contributor
Possible duplicate of My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 hour ago
@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
â user71659
1 hour ago
@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
â Steffen Ullrich
59 mins ago
@SteffenUllrich No. There's different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you're on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
â user71659
54 mins ago
@user71659: I don't see any mention of a specific OS in the question and I don't see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow - no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
â Steffen Ullrich
47 mins ago
 |Â
show 1 more comment
Possible duplicate of My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 hour ago
@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
â user71659
1 hour ago
@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
â Steffen Ullrich
59 mins ago
@SteffenUllrich No. There's different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you're on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
â user71659
54 mins ago
@user71659: I don't see any mention of a specific OS in the question and I don't see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow - no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
â Steffen Ullrich
47 mins ago
Possible duplicate of My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 hour ago
Possible duplicate of My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 hour ago
@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
â user71659
1 hour ago
@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
â user71659
1 hour ago
@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
â Steffen Ullrich
59 mins ago
@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
â Steffen Ullrich
59 mins ago
@SteffenUllrich No. There's different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you're on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
â user71659
54 mins ago
@SteffenUllrich No. There's different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you're on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
â user71659
54 mins ago
@user71659: I don't see any mention of a specific OS in the question and I don't see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow - no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
â Steffen Ullrich
47 mins ago
@user71659: I don't see any mention of a specific OS in the question and I don't see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow - no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
â Steffen Ullrich
47 mins ago
 |Â
show 1 more comment
3 Answers
3
active
oldest
votes
up vote
2
down vote
You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn't a problem.
That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.
E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).
Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).
For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:
$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
which contains the information:
$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
af:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
Signature Algorithm: sha1WithRSAEncryption
cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
95:95:6d:de
There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name "digicert sha2 secure server". Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
add a comment |Â
up vote
1
down vote
It's likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.
This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.
The end result of this is they can see anything passed over a https "secure" connection.
You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you're being intercepted.
This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
add a comment |Â
up vote
0
down vote
Hey Mike if they want to then sure, all they have to do is track where incoming and outgoing data is... Well going. You see routers have a private and public IP the public IP is what anything outside of your network sees(You can find your public IP by typing "What's my IP" in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.
So in theory all they have to do is use a program that logs all data packets on their network then they just get your Mac address from the computer and match it to the logs.
So in short anything on someones network that's not protected by a VPN can and probably will be viewed at some point.
New contributor
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn't a problem.
That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.
E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).
Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).
For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:
$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
which contains the information:
$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
af:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
Signature Algorithm: sha1WithRSAEncryption
cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
95:95:6d:de
There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name "digicert sha2 secure server". Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
add a comment |Â
up vote
2
down vote
You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn't a problem.
That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.
E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).
Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).
For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:
$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
which contains the information:
$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
af:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
Signature Algorithm: sha1WithRSAEncryption
cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
95:95:6d:de
There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name "digicert sha2 secure server". Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn't a problem.
That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.
E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).
Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).
For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:
$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
which contains the information:
$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
af:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
Signature Algorithm: sha1WithRSAEncryption
cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
95:95:6d:de
There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name "digicert sha2 secure server". Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?
You are not giving enough context. If they are just requiring that you have the default digicert global root certificate (that is pre-installed on most operating systems and web browsers), that isn't a problem.
That said, some network environments (typically workplaces with strict network policy) monitor network usage by using a man-in-the-middle attack on all HTTPS connections. You can test this by seeing if the HTTPS certificates fingerprints match well known ones.
E.g., visit https://www.grc.com/fingerprints.htm on your phone and then visit a domain, and check that the SHA1 fingerprints match. (In most browsers you can find the certificate information by clicking on the lock part of the URL and going through the menu to get certificate information).
Please note they can always observe which IP connections you are sending data with, all HTTP (not HTTPS) you are visiting, the server name (www.example.com) of HTTPS sites you visit (the server name identification standard allows this to be sent in plaintext).
For example, typical ubuntu installations come with DigiCert_Global_Root_CA.pem being trusted:
$ cat /etc/ssl/certs/DigiCert_Global_Root_CA.pem
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
which contains the information:
$ openssl x509 -text -in /etc/ssl/certs/DigiCert_Global_Root_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
af:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
Signature Algorithm: sha1WithRSAEncryption
cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
95:95:6d:de
There should be no problem if they require you to have this certificate installed; e.g., Mozilla trusts it by default. It would be a problem if they require you to install and trust a different certificate by the same name. That said I am unfamiliar with the certificate going by the name "digicert sha2 secure server". Is the fingerprint of that certificate listed in the certificates trusted by Mozilla?
answered 1 hour ago
dr jimbob
33.5k676144
33.5k676144
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
add a comment |Â
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
"I am unfamiliar with the certificate going by the name "digicert sha2 secure server" - this is a intermediate certificate signed by DigiCert Global Root CA. See this list of DigiCert CA for more information.
â Steffen Ullrich
57 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
Assuming the certificates content matches the names (check fingerprints), then this is fine. Unless DigiCert is being very sketchy (in easily checkable ways that would put them out of business if found out), these certificates were issued by a trusted certificate authority (that most OSes and browsers trust). Trusting the intermediate certificate is not different from a trust standpoint than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm (which is broken against collision attacks so should be avoided in certificates).
â dr jimbob
21 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
"...than directly trusting the root that signed it; except by trusting it directly you avoid trusting a SHA1 algorithm ..." - The SHA1 signature on the root certificate is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?
â Steffen Ullrich
14 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
It seems strange they would require him to install a legitimate intermediate certificate. I can't think of a reason. Any ideas?
â Daisetsu
10 mins ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
@Daisetsu: my guess is that it is only used for WiFi authentication like with EAP-TLS, see My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 min ago
add a comment |Â
up vote
1
down vote
It's likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.
This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.
The end result of this is they can see anything passed over a https "secure" connection.
You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you're being intercepted.
This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
add a comment |Â
up vote
1
down vote
It's likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.
This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.
The end result of this is they can see anything passed over a https "secure" connection.
You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you're being intercepted.
This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
It's likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.
This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.
The end result of this is they can see anything passed over a https "secure" connection.
You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you're being intercepted.
This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.
It's likely they are running a TLS interceptor. This means when you try to make a secure connection (https), the school responds with a fake certificate, which is then validated by the root CA they had you install.
This simply means secure connections are between you and the school, and then they make a second secure connection to wherever you were Initially trying to connect to.
The end result of this is they can see anything passed over a https "secure" connection.
You can conform this by going to a https we site, then checking what certificate was presented (look in the URL bar for a lock or shield icon for certificate information). If the certificate presented has a chain of trust which ends with the cert they had you install you're being intercepted.
This does not mean they have access to your files on your computer, it just means they are snooping on your SSL/TLS connections.
answered 1 hour ago
Daisetsu
1,633412
1,633412
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
add a comment |Â
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
Given that these are publicly trusted CA certificates it is very very unlikely that these will be used for TLS interception. If a public CA would provide certificates for such a reason they would be very likely removed or blocked by the browsers - as happened in the past. It is more likely that these certificates are needed for trusting the certificate of the WiFi (Enterprise WPA2 with EAP-TLS or similar).
â Steffen Ullrich
1 hour ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
If it's a legitimate certificate (not one generated to look similar) then I agree. I've never seen a requirement like that before which was unrelated to an interception attempt. Any speculation on what a legit use would be?
â Daisetsu
8 mins ago
add a comment |Â
up vote
0
down vote
Hey Mike if they want to then sure, all they have to do is track where incoming and outgoing data is... Well going. You see routers have a private and public IP the public IP is what anything outside of your network sees(You can find your public IP by typing "What's my IP" in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.
So in theory all they have to do is use a program that logs all data packets on their network then they just get your Mac address from the computer and match it to the logs.
So in short anything on someones network that's not protected by a VPN can and probably will be viewed at some point.
New contributor
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
add a comment |Â
up vote
0
down vote
Hey Mike if they want to then sure, all they have to do is track where incoming and outgoing data is... Well going. You see routers have a private and public IP the public IP is what anything outside of your network sees(You can find your public IP by typing "What's my IP" in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.
So in theory all they have to do is use a program that logs all data packets on their network then they just get your Mac address from the computer and match it to the logs.
So in short anything on someones network that's not protected by a VPN can and probably will be viewed at some point.
New contributor
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Hey Mike if they want to then sure, all they have to do is track where incoming and outgoing data is... Well going. You see routers have a private and public IP the public IP is what anything outside of your network sees(You can find your public IP by typing "What's my IP" in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.
So in theory all they have to do is use a program that logs all data packets on their network then they just get your Mac address from the computer and match it to the logs.
So in short anything on someones network that's not protected by a VPN can and probably will be viewed at some point.
New contributor
Hey Mike if they want to then sure, all they have to do is track where incoming and outgoing data is... Well going. You see routers have a private and public IP the public IP is what anything outside of your network sees(You can find your public IP by typing "What's my IP" in Google) while the private IP is an address your computer is assigned so your data is sent to you and not the wrong person on the same network.
So in theory all they have to do is use a program that logs all data packets on their network then they just get your Mac address from the computer and match it to the logs.
So in short anything on someones network that's not protected by a VPN can and probably will be viewed at some point.
New contributor
New contributor
answered 1 hour ago
EvilBmo
145
145
New contributor
New contributor
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
add a comment |Â
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
that's not correct. Traffic encrypted via TLS in a normal situation wouldn't be viewable other than the public IP you are communicating with. Even DNS traffic can be encrypted. The issue is this root CA allows them to potentially read the TLS connections.
â Daisetsu
14 mins ago
add a comment |Â
Mike is a new contributor. Be nice, and check out our Code of Conduct.
Mike is a new contributor. Be nice, and check out our Code of Conduct.
Mike is a new contributor. Be nice, and check out our Code of Conduct.
Mike is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195255%2fcan-my-school-see-exactly-what-i-m-doing%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Possible duplicate of My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic?
â Steffen Ullrich
1 hour ago
@SteffenUllrich The other question is asking about trusting a certificate for EAP/WPA2 Enterprise, necessary for secure WiFi. This is apparently asking about installing a root CA.
â user71659
1 hour ago
@user71659: at the end in both questions the users are asked to trust the DigiCert SHA2 Secure Server CA. Given that this is an intermediate CA signed by DigiCert Global Root CA the client also needs to trust this root CA in order to create the trust chain. See this list of DigiCert CA for more information.
â Steffen Ullrich
59 mins ago
@SteffenUllrich No. There's different levels of trust so the risk is far different. When you trust a EAP certificate, the OS trusts it for the purpose of EAP authentication, often bound only to the specific WiFi SSID. That is, it only allows the login exchange with only those servers connected to that specific SSID. If you're on a Mac, open the cert up in Keychain, you can see the settings. Installing a root CA trusts the certificate for all purposes it claims to be used for, including code signing and TLS. This is far broader.
â user71659
54 mins ago
@user71659: I don't see any mention of a specific OS in the question and I don't see that the question explicitly says that the CA should be installed to be trusted globally. Instead it says that these certificates should be (somehow - no specifics are given) installed in order to access the guest Wifi. Insofar it looks for me the same as the other one, i.e. install a CA certificate so that one can automatically trust the Wifi. It would probably useful if the OP could provide more detailed information what was exactly requested and which instructions were given.
â Steffen Ullrich
47 mins ago