School installs certificate using 3rd party program to connect to their internet. How safe am I?

My school uses a service called secureW2to install a certificate on devices that want to connect to the internet. I am concerned about my privacy. Can they see what I am doing when I am not on one of their access points?

I used the software on a different user on my windows computer and can connect to the internet from there, but sometimes I need to access the internet on the main user.

Is my university getting any info about what I am doing? The installer used to install fortinet, but doesn’t now.

that cert allows them to decrypt otherwise encrypted traffic, aka https

they can see everything in plain text

It allows your device to connect to the Internet without needing to send login info after the first time. It does allow decryption of network traffic however any VPN will prevent that.

Edit

Correct information below, but doesn’t apply in this case.

SecureW2 is a service to automatically enroll RADIUS Server certificates to connect to WPA Enterpise networks (Wifi that you have to login with with username and password).

Edit done

Usually, all encrypted traffic is end to end encrypted with certificates validated by a trusted entity (so called certificate authority, e. g. LetsEncrypt, DigiCert, GlobalSign, Google, …)

Your device however trusts an additional authority: your school.

If your school is able to intercept the traffic, they can theoretically swap out the certificate websites are encrypted with with their own cert, and read all traffic that’s usually encrypted as plain text.

On other networks, it’s unlikely that they continue to monitor traffic as they need to change out the cert which is more difficult on networks they don’t control, but I wouldn’t risk it.

You can see which certificates websites are encrypted with by opening a browser, going to a website and clicking on the lock icon (or tweak icon on newer installations of Chrome / Chromium browsers) and navigating to the certificate.

The Certificate Authority should be a globally trusted Organisation, not some local certificate or unnamed certificate.

Keep in mind that just because traffic might be encrypted by a proper certificate issued by a trusted CA doesn’t mean that what you do is private or secure, as you can never truly trust school / work issued devices.

Never log in to private accounts or add private information or browse on sensitive sites with devices managed by work / school.

Bro, that is not good. Sounds like your school is spying on you with this third party program. Gotta be careful cuz they can see everything you do even when you’re not using their wifi! Big brother knows all.

ITT: People who don’t understand how cert-based authentication works at all. All this is doing is allowing you to connect to the wifi without a username and password. This is done by 1000s of companies across the country. Cert-based authentication doesn’t mean they can decrypt your traffic. Also if they wanted to decrypt your traffic you wouldn’t know and they don’t have to install anything on your computer to do that. If they are watching you you wouldn’t know. Your options are connect to wifi or don’t. u/nightowl500 put it very well and is the only other person whose knows what they are talking about.

Can you set up a VM on your machine and use the VM to do the certificate service (and anything else on their network)?

i concur. OP, one way you might address the problem is by using a third party VPN once you connect to the university network.

Will they be able to see on other networks?

While that is true, it is highly unlikely that is the purpose. In order to protect users from malware, it is essential that traffic be decrypted as firewalls do a very poor job of detecting encrypted malware. In fact in most firewalls specific configuration iisreqipuired to provision a dedicated terminal for manual intervention. We don’t have that at my work.

It does not allow them to decrypt data encrypted with other websites’ certs, which is most internet data

Wouldn’t they be able to view this information even if they connected to the WiFi normally with username and password? It’s just the the certificate makes it easier, right?

We literally do not have the time or interest to snoop on what others are doing.

The main issue is: can you? Can any individual in the IT department spy on any user and decode decrypt their Internet traffic?

Ok so I might add something:

This is for certificates from certificate authorities, used to encrypt and decrypt HTTPS / SSL / TLS traffic.

The certificate might also be a totally certificate needed to connect to a WPA Enterprise network (login to network with username, password and certificate). In this case, they can’t read any encrypted traffic, the certificate is just needed to validate that the network you’re trying to connect to is actually your schools network and not a fake or spoofed one.

it’s not as much the program as it is the certificates. SecureW2’s privacy policy is quite decent.

​

I just want to know what issues the certificates will cause

Utter rubbish. The certifi ate only matters for the school connection. It is irrelevant for all other connections.

It is not. Firewalls been to decrypt traffic to prevent malware. It is a very normal and recommended practice.

Without knowing the capabilities of the 3rd party program we can’t say for certain, however simply having a cert installed? No.

The cert belongs to your university, and a matching (not the same, just matching) version of the cert is installed (most likely) on the school firewalls. When you get on their network to go out to the Internet the cert on your machine means that it trusts the Firewall to pretend to be any website.

The firewall then can decrypt (see in plain text) ALL of your web traffic. Some things, like VPNs, can still encrypt your traffic, potentially. Presumably the 3rd party program does not interfere with VPN clients.

This is incredibly common on organization’s network for organization’s machines (like a work laptop on a work network), but less common for an organization’s network for Bring-Your-Own-Device (BYOD) machines, like yours.

I suggest looking at the lock icon in the browser of a website and seeing who issued the certificate. If it’s being issued by that company, they are routing traffic back. If it is not being issued by that company, it is still not 100% guaranteed that they are intercepting traffic.

i’m looking for this