I have a question that no one has been able to answer properly on the net. If I use a personal iPhone, connected to my company’s guest WiFi, and browse to, say, , does my employer see/log:

  1. (i.e. the /news is hidden)
  2. the full URL

Some answers have said that HTTPS encrypts part of the URL, others say the full URL will be caught on router log.

Most people who have answered me say that Scenario 1 is most likely ie that the URL detail after the “/“ remains invisible because of the HTTPS connection and therefore not caught on router log. Others say that the network admin can see and record anything (which for me seems to defeat one of the main points of HTTPS? Again, this is a personal IPhone that no one has access to.

7

3 Answers

There is more than just HTTP to consider here...

WiFi

WiFi by it's very nature is an incredibly open technology. Anyone with an antenna and radio in your proximity can collect traffic.

The WiFi network itself can be encrypted, but there are many ways to get around this. If you're connecting to a company network, then it's probable that others nearby also have the password.

Capture and Archive

Remember - the network administrator can see all traffic that passes on their network, and there is nothing to stop them from capturing and archiving it.

If a weakness was discovered in a "secure" session, then any collected data could be compromised and potentially decrypted.

If computing power advances sufficiently, brute-forcing could be a viable option to get the plain-text data.

It's unlikely that an average company would log significant accounts of "on the wire" traffic.

Attribution

Traffic can be tied directly to your phone, based on your device's MAC address.

"MAC Address Randomisation" has been provided more recently... however in some cases this is not enough to properly anonymize the traffic.

DNS

For a standard phone setup, DNS queries are easily visible to the network operator and your neighbours. For example, your phone asking for the IP address for google.com, or mail.google.com.

It's possible, but I'd suggest unlikely that a company would log DNS queries - unless they are of a reasonable size.

IP Addressing

Communicating with another system on the network / internet requires that packets are directed accordingly using the remote system's IP address.

In many cases this will identify the site, or the company that you're communicating with directly (i.e: Google servers only host Google services). However many smaller sites use shared hosting (i.e: multiple websites on a single server), making it less implicit which website you were browsing.

HTTP (no SSL)

Typically the actual web traffic will be encrypted using SSL / HTTPS. But remember that there are still websites that don't enforce or even provide HTTPS support, so in these cases, all traffic can be "seen".

HTTPS

For websites using HTTPS (ignoring the DNS information above), it's now possible to host multiple domains on a single server using Server Name Indication. This permits the server to respond to the handshake with the correct SSL certificate, depending on which domain the client requested information from.

In this case, the hostname is still sent in plain-text as part of the handshake and is therefore visible.

Man in the Middle

In the case where HTTPS is used, there are still possibilities for the network operator to decrypt your traffic. Many companies run a proxy, installing a certificate on employee devices (laptops, phones, etc...).

In this case you are vulnerable to a "Man in the Middle" attack - your employer can decrypt all of the traffic, offer proxy-type services (e.g: content filtering, caching, etc...), and then potentially forward your request on to the destination server using the "correct" certificate.

This is unlikely for a personal device.

This is also somewhat mitigated by DNS Certification Authority Authorization... unless the operator spoofs the DNS responses for this too. I don't know if browsers cache the DNS CAA responses at all...

VPN

If you're using a VPN, with everything configured correctly, then it's probable that only the VPN server's DNS record will leak locally (presuming you're not using a direct IP), but my statement above about captured and archived traffic still stands. You also need to trust your VPN provider.

However, if your VPN setup isn't configured correctly, then DNS queries can still leak quite easily.


In summary, assume that:

  • A network operator (and anyone nearby) can see all traffic.
  • A network operator can definitely see the IP address of the remote server you're communicating with.
  • It's almost certain that the network operator can see the hostname of the site you're communicating with (e.g: google.com).
    • The hostname will leak via DNS.
    • The hostname will probably leak via SNI too (part of the SSL handshake)
  • The schema can be inferred (e.g: https://).
  • It's very possible that corporate devices have their traffic decrypted at a proxy. It is otherwise unlikely that others can easily "see" your decrypted traffic.
  • Any captured data could be valuable in the future - encryption is really a temporary measure - until a vulnerability is found, or computing power advances enough to make brute-forcing trivial.
11

To answer your specific question assuming you have zero workarounds... after connecting to GenericCo's guest wifi, you open a browser and attempt to navigate to .

A) A DNS request is sent out in the clear, asking the DNS server what the IP address is. DNS is not typically encrypted, so a snoopy sysadmin with WireShark can see it easily. This visible DNS request occurs for all domains and subdomains, so that mail.google.com and google.com are visible as two separate requests.

B) An HTTPS connection request is sent to that IP address. Handshaking occurs and your computer attempts to download that specific page /news. Theoretically, you have a secure HTTPS connection at this point, so it's much harder for a snoop to see it.

In general, assume that your employer can see anything that you do on their network. It is their Internet connection after all. You can obfuscate it using VPN and other methods that will show up in other answers. However, be aware that other individuals besides your employer may be able to see it too. Using a VPN will reduce the amount of snooping that nearby people will be able to do, but then you have to trust the VPN provider.

2

The simple answer to this question is that your scenario 1 is correct.

The connection is HTTPS, nobody can see what is entered after the domain name portion of the URL, except you and the other party you’re connecting to. Your employer only knows the following information:

  1. Your device name, your MAC address and IP address
  2. The AP you’re connected to and approximate location of your device.
  3. Your sign in name if you had to enter it to connect to WiFi
  4. The domain names of sites you access and when and for how long
  5. All details of traffic that is unencrypted.

This assumes you have not allowed your employer to install anything on your device. And, it assumes your employer has actually taken the extra steps necessary to actually gather some of this info. Finally, yes, these 5 items do suggest that they may not even know who’s phone it is that is on their network.

This amount of information does allow your employer to deduce a lot of things about the model of your phone, apps installed on your phone and your internet behavior.

With that said, the obvious disclaimer here is that you shouldn’t use your employer’s WiFi to do things that violate company policy. So, if you’re concerned just stay off the company WiFi.

4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy