Menu
Reply
  • 4
  • 0
  • 2
markth0mas
Tuning in
1,301 Views
Message 1 of 11
Flag for a moderator

Root certificates in the profile used by the Virgin Media Wifi App for iOS

I just tried to set up auto connect on the Virgin Media Wifi app on my iPhone. The app tried to install a new profile which includes root certificates.

Having a certificate for authentication makes sense, but a root certificate seems risky.  Could someone from Virgin Media comment on what the root certificate is used for.

 

  • 56
  • 0
  • 5
NoResyncsPlease
On our wavelength
1,099 Views
Message 2 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

This is an excellent question. I just did the same, then decided it wasn't worth it to have a little 'free' wifi, as allowing Virgin to place a root certificate in the iOS device means they can transparently decrypt all of our traffic, get our social media login names and passwords, our bank username and passwords, etc.

I would like to be able to use the Virgin Wifi benefit that I receive with my Virgin Media package but I don't think it's wise to accept this certificate. A comment from a knowledgeable Virgin Media technician would be appreciated.

0 Kudos
Reply
  • 17.58K
  • 1.63K
  • 3.04K
Superuser
Superuser
1,091 Views
Message 3 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

Virgin Media WiFi uses Secure EAP-TTLS/MSCHAPv2 for authentication to the Virgin Media WiFi network, and the certificates installed by Virgin Media WiFi app and profile are used as part of the authentication for connection to the secure SSIDs shown in the profile (specifically Virgin Media, arq_wifi_x and _The Cloud X).

The Root certificates cover the required authentication for each of the secure SSIDs, which you can see when you look into the details of each of the root certificates.

A good explanation as to what the certificates do is here http://security.stackexchange.com/questions/102550/what-are-wifi-certificates-used-for-what-are-they

The secure SSIDs used by Virgin Media WiFi ensure that the WiFi traffic between your device and the Virgin Media WiFi access points is encrypted. This is comparison to using an open SSID and then username and password security prompts on a webpage to allow onward internet access. On these WiFi networks the traffic between your device and the access point is not encrypted.

**********************************
I work for Virgin Media - but all opinions posted here are my own
0 Kudos
Reply
  • 1.48K
  • 161
  • 473
Superuser
Superuser
1,073 Views
Message 4 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

Could the same not have been achieved by using certificates issued by one of the CAs already supported by iOS?

0 Kudos
Reply
  • 17.58K
  • 1.63K
  • 3.04K
Superuser
Superuser
1,065 Views
Message 5 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

If you go into any of the Root certificates they're titled 'Certificate for Virgin Media' 'Certificate for arq_wifi_x' and 'Certificate for _The Cloud X', so are there for the WiFi connection.

They're there to tell the device which SSIDs are the valid ones, and I'd expect they're there to stop the SSIDs being spoofed i.e. someone can't set up a fake 'Virgin Media' access point and have a device that's been configured for Virgin Media WiFi to connect to it because the authentication certificates are issued from the Virgin Media CA - which only Virgin Media have access to and so the certificates only work on valid Virgin Media access points.

**********************************
I work for Virgin Media - but all opinions posted here are my own
  • 1.14K
  • 75
  • 194
Tudor
Knows their stuff
1,038 Views
Message 6 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

I believe that Apple will not allow the installation of any root certificate that can trap all traffic on a device.


There are 10 types of people: those who understand binary and those who don't
0 Kudos
Reply
  • 1.48K
  • 161
  • 473
Superuser
Superuser
993 Views
Message 7 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS


Tudor wrote:

I believe that Apple will not allow the installation of any root certificate that can trap all traffic on a device.


That belief is incorrect as OP shows root certificates can be installed if user agrees to do so and, with the root certificate operator and network operator being one and the same, it is now possible for SSL interception to occur.

0 Kudos
Reply
  • 4
  • 0
  • 2
markth0mas
Tuning in
959 Views
Message 8 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

Yeah, that was my concern too.

If you have a Mac, you can have a proper look at the profile using the 'Apple Configurator' tool.  Just after login to the VM wifi app, it briefly switches to Safari to download the profile and you can grab it's URL from there and then look at it on your Mac.

It's quite interesting.  As far as I can tell the wifi login passwords are completely independent of the root certificates, and can be used without them.

Mark

0 Kudos
Reply
  • 17.58K
  • 1.63K
  • 3.04K
Superuser
Superuser
952 Views
Message 9 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

The certificates are used as part of the EAP-TTLS security that the network uses.

Some further discussion on why certificates are used http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clien...

You cannot connect to the SSIDs without the certificates, as there is no normal authentication method provided i.e. you don't get presented with a username and password logon that you do for open SSID public WiFi.

**********************************
I work for Virgin Media - but all opinions posted here are my own
0 Kudos
Reply
  • 4
  • 0
  • 2
markth0mas
Tuning in
945 Views
Message 10 of 11
Flag for a moderator

Re: Root certificates in the profile used by the Virgin Media Wifi App for iOS

Thanks for the link that was useful.

I understand why Virgin would ship a root certificate.  I am able to connect to Virgin Wifi without it, but on the first connection I get a prompt to trust the Radius server's identity.  I know there is some risk there, and the root certificate mitigates the risk that the radius server is being spoofed

I think my concern really is that it feels wrong that an ISP should issue their own root certificates, because it gives you the power to decrypt SSL traffic.  That's why I don't want to install it on my devices.  I'd be much more comfortable if Virgin used a root certificate from a recognised CA.

Mark

0 Kudos
Reply