Comments

You must log in or register to comment.

Conscious_Inside6021 t1_iy3rpwy wrote

Your Schulen is spyen on you

Edit: I have no idea why people are relying with a crying face emoji and at this point I'm too scared to ask

469

Blendandextend t1_iy3oumq wrote

Zo you can not zee das boobie.

459

BananaBaconFries t1_iy3yt90 wrote

I dont understand speak german(?)But common reasons why certificates are installed on a computer, mobile device etc. is to skip the certificate error a user encounters or allows the device to "present" itself to a network device when attempting to use it; such use cases are:

  1. Decryption: They are inspecting your traffic; like the actual data(payload); many security products do this. This allows these said products to be inspect/protect you. HOWEVER, highlighting this allows your school to see your data. (this is actually a MiTM(Man in the Middle Attack) if it was not coming from a trusted source
  2. Authentication: Certificate-based client authentication; could be used for RADIUS or client authentication

I'm also reading that it is unsigned? This is actually normal; these tend to be self-signed certificates (SSC). Since basically you are trusting a Root CA Certificate ((this is whole another level of discussion which I wont get into detail to)).

Considering I can see the word WLAN in there; it's likely used for Authentication i.e., allow you to connect to your schools WiFi ; could be using EAP-TLS since they are using certificates.

-Source: Working as a Systems Engineer specializing on these stuff

-Recommendation: Just take note you've installed said certificate; dont forget to delete it after like your term end there at your school. Also install it on devices you actually use for school. e.g., if you just want to connect your phone to get free internet and not use it to access school resources; then dont do it

EDIT: I am assuming your iphone is school owned, like you work at that school? If this is a personal device; tbh I would not install it, trusting a certificate is a major consideration when installing it in a personal device and is honestly a breach of your own personal privacy (especially considering your school IT likely did not tell you what its purpose is since you asked it here in this reddit)

276

House-of-Suns t1_iy4k8lt wrote

Yeah this 100%. Sysadmin in a UK school here. Our older students have a “Bring Your Own Device” WiFi network so they can use their own devices in school, however due to mandatory safeguarding requirements in UK schools that web usage must still be filtered and monitored. Perhaps Germany have similar requirements? Regardless, I agree it’s totally on the IT to let people know what they’re doing, particularly with their own devices.

58

rogerhub t1_iy4t7z9 wrote

This help article says certificates aren’t trusted for SSL if they come from manually installed profiles, unless you explicitly enable trust. If this is true, I’m guessing that there’s no privacy issue with installing the profile, and the only effect it should have is enabling EAP login to access the wifi.

4

Sufficient_Row77 t1_iy5qcqz wrote

I don’t know if this helps but It’s German and it says that the profile that there’s no signature and that it includes WiFi and two certificates.

2

FriendlyStory7 t1_iy7gxlr wrote

Can they see my traffic if I use my 4g/5g? Can they see my traffic if I use another WiFi ie. My home WiFi? (If I have these kind of certificate installed)

1

BananaBaconFries t1_iy7usbj wrote

You should only be concerned if the certificate is used for decryption (as i mentioned),

But let's assume that it is; UNLESS you're using a VPN Software provided by your IT (which basically routes your traffic to them) you shouldn't be concerned about it.

A lot of managed devices enforces VPN connectivity to the company's network thus allowing inspection. We can even implement enforced VPN connectivity in which your computer CANT connect to the internet if you somehow turn off your VPN to your company ((despite your WiFi having no issues)

TL'DR;

  1. if youre using mobile data with no VPN Software provided by your company - they wont be able to see your traffic
  2. If youre using mobile data WITH VPN software running provided by your company - then LIKELY they are seeing your traffic; ((even without decryption; your DNS queries are quite visible so they know which websites you go to at least))
2

Draces89 t1_iy3s2lz wrote

This looks like a 802.1x certificate. The authentification endpoint (Radius) is secured by this. The only bad thing is the „Not signed“.

Es sieht nach einem Endpunktzertifikat für einen Radiusserver für eine 802.1x Authentifizierung aus. Wir setzen das bei unseren Schulen auch ein. Das einzige was nicht so toll ist, ist wohl das nicht signiert.

137

ElNilso1989 t1_iy3x290 wrote

Wahrscheinlich ähnlich wie eduroam. Ein Zertifikat fürs WLAN, mit dem man an jeder Uni europaweit online gehen kann.

30

gfaust_mudd t1_iy3q0xh wrote

Profiles are installed so the IT department can push install their crap onto your product. Only reason this would happen is if your device is school property, otherwise very unethical.

47

pacoii t1_iy3rhe7 wrote

Unless the school is requiring them to use their Wi-Fi, why is it unethical? Most employers will require a similar Profile when using a personal device on a corporate network, for security purposes.

16

gfaust_mudd t1_iy3sita wrote

Wi-Fi is password protected and you agree to terms if/when you log into it. Profiles can allow unrestricted access and are generally used in managed environments. I’m yet to see a company that uses this method vs VPN for personal device use. And note I’m not talking about a phone your company provides you, I’m talking about your phone on their networks

−10

CrypticMocha t1_iy40itn wrote

It is extremely common practice to have employees sign agreements and install profiles on BYOD (bring your own device) endpoints.

12

PADFTGW t1_iy45buw wrote

That it is common, won’t say it’s normal to do. They can get full access to your device by such profiles. You better can use your own mobile provider to access the internet instead of the company WiFi. Even without a installed profile they can track all your internet traffic.

5

jjeroennl t1_iy5g83p wrote

I’m pretty sure it’s illegal in the European Union, if your employer requires this they will need to provide the phone, laptop or tablet. Its also not allowed for employers to make you install an app on your personal phone for example.

Its even more not allowed to monitor network traffic, then you will be violating both employee rights and the GDPR.

Dutch source: https://www.everphone.com/nl/blog/scheiden-van-gegevens-bij-mobiele-telefoon-van-de-zaak/

1

pacoii t1_iy3sooo wrote

Many companies use Profiles. I’ve worked at them, lol!

4

cyberentomology t1_iy4a96y wrote

Certificate authentication to access enterprise Wi-Fi networks is extremely common. Products like ClearPass exist for this exact use case. The “password” for a WiFi network (pre shared key) is an encryption key, not an authentication or authorization method, and is only typically used on small-scale personal networks.

This is completely separate from VPN which allows remote secured access to internal company networks. Certificate authentication to the network provides authentication, authorization, and accounting, as well as robust encryption of the wireless link.

2

NutGoblin2 t1_iy5uux9 wrote

This isn’t a profile. It’s a certificate

4

[deleted] t1_iy3u7xc wrote

Wrong

−9

gfaust_mudd t1_iy3ufoi wrote

Explain

3

[deleted] t1_iy3vl62 wrote

This is right wing or uneducated propaganda. Profiles are to protect a companies information and do not give the company unrestricted access to the phone. Yes they are able to push software or wifi certificates to the phones but they are not able to see everything on your phone. Saying this is “unethical” is just flat out wrong.

−16

gfaust_mudd t1_iy3waze wrote

I don’t know what schools use for managing these things and I’m sure there are many..my experience with enterprise software using Casper is what I base my comments on. I don’t see what politics have to do with this.

6

gnulynnux t1_iy46tru wrote

This is definitely not right-wing propaganda, where are you getting that?

Seriously, I'm a "terminally online" leftist and I can't imagine an interpretation where "don't install self-signed root CAs to your personal device" is right-wing propaganda. I think you're wrong here, but I'm genuinely curious about how you arrive to this conclusion.

Installing a root CA to your personal device breaks a lot of security assumptions. I assume Apple has carved out an exception for their own updates and app installs, because a root CA would feasibly allow them to "see everything on your phone". As it stands, a root CA only allows them to intercept and modify everything in the network data.

That said, I don't speak German(?) well-enough (or use iPhones enough) to know if this is indeed a self-signed root CA.

5

SamanthaJaneyCake t1_iy49sy9 wrote

Wifi certificate (WLAN cleared up any doubt about that). Essentially it’s to allow your phone to connect to the school wifi without having to log in through their portal each time.

42

elislider t1_iy45bst wrote

It’s a wifi cert likely so your phone can more easily connect you to the schools wifi network. If you click “more details” it will tell you what it can do

21

Thecardinal74 t1_iy4ivaz wrote

do you want to connect to the school's wifi or not?

11

8046Ile OP t1_iy4lowu wrote

Yes, i am using the free wifi

8

Mc_Master_Mummy t1_iy7di32 wrote

This certificate should allow you to connect to it, no clue why you need a certificate for it but it may be standard in Germany. I’m from the US so I don’t know what’s standard there. The certificate would probably track network traffic to make sure you aren’t doing sketchy stuff on their Wi-Fi.

Dieses Zertifikat sollte es Ihnen ermöglichen, sich damit zu verbinden, keine Ahnung, warum Sie ein Zertifikat dafür benötigen, aber es kann in Deutschland Standard sein. Ich komme aus den USA, also weiß ich nicht, was dort Standard ist. Das Zertifikat würde wahrscheinlich den Netzwerkverkehr verfolgen, um sicherzustellen, dass Sie keine skizzenhaften Dinge in ihrem Wi-Fi tun.

2

tbone338 t1_iy4hy36 wrote

Do not install it on your personal device. By installing it, you’re giving them access to what your phone does on the wifi. It’s their way of monitoring you

8

[deleted] t1_iy4sodv wrote

[deleted]

5

Janneske_2001 t1_iy5eepi wrote

I have something similar for our eduroam network in the Netherlands.

2

The_Hackintosh t1_iy412km wrote

Wilkommen in Zürich

4

8046Ile OP t1_iy4lkl9 wrote

Ja… verstahn eif nöd was die vo mir wönd ich lösch de scheiss lieber

2

The_Hackintosh t1_iy4lq0v wrote

Sieht so wie ein profil der zugriff suf das schul wlan gibt.

1

Lukinator6446 t1_iy4h980 wrote

Also ich nehm mal an, dass du im Gymi bist, weil unser WLAN genauso heisst. Das scheint ein Zertifikat zu sein, damit man sich leichter mit dem Schul-wifi verbinden kann.

4

aberdoom t1_iy4o861 wrote

Did you consider asking?

4

cyberentomology t1_iy496do wrote

Since it says right there that it’s for the WLAN, that’s going to be required to authenticate to the wi-fi.

2

viewerx3 t1_iy4cfgx wrote

What I would like to know is, do these certificates pose a privacy risk? Can they be used to track activity (such as what you search behind a VPN)? Or is it just for user authentication?

What features or information does the school IT gain by having their users install these web certificates?

2

ctaetcsh t1_iy4ebti wrote

If there is an SSL certificate in there then yes it would allow the school IT department to monitor HTTPS traffic. However, as a VPN encrypts your traffic, they wouldn’t be able to monitor it.

As for why, many areas have laws requiring schools to filter internet traffic. Many of these systems have block pages that tell you why the page you tried to access was blocked. However, because of HTTPS, these block pages cause the browser to throw an HTTPS error because the certificate it received was invalid. Adding this cert will allow the block page to show without an error (but thats speculation on my part). I use NextDNS for personal filtering of ad domains and the like and because I have a block page enabled, I need to install their certificate so it shows up without an HTTPS error.

1

Reasonable-Ad9987 t1_iy4hym5 wrote

I “hack” (bypass school filters and chrome extensions) for $5 and tell people how do it. Not that hard really

−3

ctaetcsh t1_iy4i7jx wrote

Yeah it’s not hard at all with most setups, especially on personal devices. My school used a system that just acted as a DNS sinkhole if you didn’t have the Chrome extension so using my own EDNS got around that.

1

AquWire t1_iy4dvke wrote

Auf private Geräte kommt schon mal gar nichts. Und wenn die sich auf den Kopf stellen!

Sieht nach Zugängen für Wifi aus.

2

zerbey t1_iy4ovsu wrote

Your school is most likely using SSL Decryption to intercept either all (bad implementation) or some https sites. The most common reason a school would do this is to enforce keyword blocks and you can also do things like force safe search on Google and block GMail from external non school accounts.

Without the certificate you'll get SSL errors on any page they're monitoring.

2

Longtime_Iurker t1_iy4raqp wrote

Das ist ein Netzwerkprofil, damit der IT Bereich deiner Schule deine Netzwerkaktivitäten (z. B was du googlest) sehen können. Damit können die jeden Schüler einfacher zuordnen und anstößige Webseiten blockieren. Außerdem muss man sich dann nicht jedes Mal in den Internetportal anmelden. Ehrlich gesagt ist mir da aber etwas suspekt da du ja nicht wissen kannst welche Daten die es genau sammeln oder ob sie auch Daten von dir sammeln, wenn du nicht mit dem Schul WLAN verbunden bist. Wenn ich du wäre, würde ich es nicht installieren, auch wenn ich dann keinen Zugang zum Schul-WLAN habe. Da ist mir meine Privatsphäre wichtiger.

2

sanjay_82 t1_iy4s2yj wrote

Self created certificate that's why you're seeing this, the school didn't want to buy a properly cert

2

pwndfu t1_iy6c9sv wrote

tracking and pushing bloatware most likely

2

[deleted] t1_iy3tpf6 wrote

It looks like a wifi cert

1

praggy97 t1_iy4a656 wrote

I also have 3 certificates like this installed, my company mandates it to use the company Zoom and outlook. Iphone doesn’t have something’s like android where there is a separate work profile that can be triggered

1

Separate-Eye5179 t1_iy8tcoh wrote

Yes iPhones have work profiles. It’s under the “profiles” section in control centre and is called “work”. You can customise the notifications you receive and what apps are visible. Been on iPhones since early 20219

1

PHILIPTNT t1_iy4qako wrote

I never installed things on my personal devices that my school told me to. I don’t trust the softwares they give us

1

SoggyDoggyiPhone8 t1_iy61ld2 wrote

It is prob a VPN so the school can see your search history and block inappropriate websites.

1

UnderstandingNo5785 t1_iy6dgl8 wrote

It’s to spy on you while on their wifi. Make sure your not doing to no no business

1

rdejesus486 t1_iy74gwh wrote

It just looks like Wi-Fi profiles so you can connect to the SSID at your school.

1

WarriorA t1_iy7a0it wrote

What you installed is a Profile. Profiles can contain certificates (in this case 2) but can also include other permission. Often used for MDM to access and maintain devices. It’s probably fine, but this is not just a certificate like others claim

1

ea0n t1_iy3we0v wrote

found the swiss person

−3

ISHx4xPresident t1_iy40kqb wrote

Aside from the back and forth in the comments, if it’s your personal device, you probably shouldn’t install any profiles. Under no circumstances, outside of maybe government and the likes, is it ethical to agree your personal devices to anything beyond required passcode, encryption and, if it’s the nature of where you work, audits of the device or device’s security.

If they want access to push software or have any control of the device, they need to provide the device to do that with.

−5

inetkid13 t1_iy43owk wrote

It‘s a wifi-certificate. not a master key to decrypt all his informations and overtake his device remotely.

14

cyberentomology t1_iy49bmu wrote

Specifically, an 802.1X certificate, just happens to be used primarily to authenticate to the WiFi and secure the connection.

8