[GLLUG] Installing SSL certificate at the request of a WiFi provider

Alain Williams addw at phcomp.co.uk
Sun May 8 23:02:24 UTC 2016

On Sun, May 08, 2016 at 08:47:50AM +0100, Greater London Linux UUG wrote:
> Not specifically a Linux question, but I know a lot of knowledgeable
> people lurk here so I hope it will be forgiven.
> A (physical) site which I visit regularly provides a BYOD WiFi network
> to which people can connect their own devices.  You need an individual
> WPA2 login in order to connect to it.
> Just recently they've announced that they're introducing filtering of
> https connections, and thus you will also need to install a certificate
> provided by them if you are going to use it to access any https web sites.
> Now the only way I can see this working is if they are proposing to
> generate spoof certificates, signed by them, for any such sites which
> you access, install their web filter as a man-in-the-middle, and thus
> have clear-text access to all your supposedly encrypted communication.
> Am I reading this correctly, or is there some less malign thing which
> they could be doing?  Should I just stop using their WiFi and rely on my
> own 4G connection?

I would not trust them.

It might be really interesting to ask them *why* they want you to install their
certificate ?

I suspect that they only want to read what is going back/forth over the SSL
session and not write to it (as did Phorm). I can see that they might have
legitimate concerns about people sending out legitimate corporate secrets, but
this would hardly stop someone: just write to a memory stick, use own 4G, ...

Maybe they want to virus filter incoming stuff (web pages).

Do they have a policy of not allowing personal transactions, eg: banking, login
to personal email/facebook/... - in which case everything should be on
'corporate business' Do they say that contents of HTTPS connections might be
read - if not the data protection people might have something to say.

Or: if you want a quiet life, just use your 4G

Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>

More information about the GLLUG mailing list