Eduroam is an organization that provides free WiFi to educational institutions and around some cities. I don't fully understand how the authentication works, but in order to connect you have to install a CA Certificate called eduroam_WPA_EAP_TTLS_PAP
on your device. I know CA certificates are used to decrypt TLS/SSL traffic, so doesn't this mean that Eduroam can decrypt my traffic considering I have their certificate installed on my phone? Any input is appreciated.
The specific certificate looks like this (numbers changed for security):
$ openssl x509 -inform der -in ca.skole.hr.der -noout -tex
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = HR, ST = Zagreb, L = Zagreb, O = MZOS, OU = CARNet, CN = CA Root certificate skole.hr
Validity
Not Before: Nov 15 14:17:58 2011 GMT
Not After : Nov 12 14:17:58 2021 GMT
Subject: C = HR, ST = Zagreb, L = Zagreb, O = MZOS, OU = CARNet, CN = CA Root certificate skole.hr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
00:e5:a0:99:17:88:9d:1c:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
00:e5:a0:99:17:88:9d:1c:9300:e5:a0:99:17:88:9d:1c:93
X509v3 Authority Key Identifier:
keyid:00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:00:e5:a0
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
00:e5
It is installed using the Eduroam app into the Android credential storage and is "Installed for Wi-Fi" which I assume means that the credential is applied to all WiFi traffic.
eduroam_WPA_EAP_TTLS_PAP
, and the certificate linked there is theT-TeleSec GlobalRoot Class 2
root CA that is probably already installed on your computer - it's even on Mozilla's Included CA Certificate List.