Viewing a single comment thread. View all comments

BananaBaconFries t1_iy3yt90 wrote

I dont understand speak german(?)But common reasons why certificates are installed on a computer, mobile device etc. is to skip the certificate error a user encounters or allows the device to "present" itself to a network device when attempting to use it; such use cases are:

  1. Decryption: They are inspecting your traffic; like the actual data(payload); many security products do this. This allows these said products to be inspect/protect you. HOWEVER, highlighting this allows your school to see your data. (this is actually a MiTM(Man in the Middle Attack) if it was not coming from a trusted source
  2. Authentication: Certificate-based client authentication; could be used for RADIUS or client authentication

I'm also reading that it is unsigned? This is actually normal; these tend to be self-signed certificates (SSC). Since basically you are trusting a Root CA Certificate ((this is whole another level of discussion which I wont get into detail to)).

Considering I can see the word WLAN in there; it's likely used for Authentication i.e., allow you to connect to your schools WiFi ; could be using EAP-TLS since they are using certificates.

-Source: Working as a Systems Engineer specializing on these stuff

-Recommendation: Just take note you've installed said certificate; dont forget to delete it after like your term end there at your school. Also install it on devices you actually use for school. e.g., if you just want to connect your phone to get free internet and not use it to access school resources; then dont do it

EDIT: I am assuming your iphone is school owned, like you work at that school? If this is a personal device; tbh I would not install it, trusting a certificate is a major consideration when installing it in a personal device and is honestly a breach of your own personal privacy (especially considering your school IT likely did not tell you what its purpose is since you asked it here in this reddit)

276

House-of-Suns t1_iy4k8lt wrote

Yeah this 100%. Sysadmin in a UK school here. Our older students have a “Bring Your Own Device” WiFi network so they can use their own devices in school, however due to mandatory safeguarding requirements in UK schools that web usage must still be filtered and monitored. Perhaps Germany have similar requirements? Regardless, I agree it’s totally on the IT to let people know what they’re doing, particularly with their own devices.

58

rogerhub t1_iy4t7z9 wrote

This help article says certificates aren’t trusted for SSL if they come from manually installed profiles, unless you explicitly enable trust. If this is true, I’m guessing that there’s no privacy issue with installing the profile, and the only effect it should have is enabling EAP login to access the wifi.

4

Sufficient_Row77 t1_iy5qcqz wrote

I don’t know if this helps but It’s German and it says that the profile that there’s no signature and that it includes WiFi and two certificates.

2

FriendlyStory7 t1_iy7gxlr wrote

Can they see my traffic if I use my 4g/5g? Can they see my traffic if I use another WiFi ie. My home WiFi? (If I have these kind of certificate installed)

1

BananaBaconFries t1_iy7usbj wrote

You should only be concerned if the certificate is used for decryption (as i mentioned),

But let's assume that it is; UNLESS you're using a VPN Software provided by your IT (which basically routes your traffic to them) you shouldn't be concerned about it.

A lot of managed devices enforces VPN connectivity to the company's network thus allowing inspection. We can even implement enforced VPN connectivity in which your computer CANT connect to the internet if you somehow turn off your VPN to your company ((despite your WiFi having no issues)

TL'DR;

  1. if youre using mobile data with no VPN Software provided by your company - they wont be able to see your traffic
  2. If youre using mobile data WITH VPN software running provided by your company - then LIKELY they are seeing your traffic; ((even without decryption; your DNS queries are quite visible so they know which websites you go to at least))
2