By Joeri de Ruiter, Technical Product Manager at SURF Nowadays, wherever you go it is likely that there is free wifi on offer. This can be very convenient when you are...
Is eduroam safe to use?
eduroam is based on the most secure encryption and authentication standards in existence today. Its security by far exceeds typical commercial hotspots.
eduroam requires the use of 802.1x which provides end-to-end encryption to ensure that your private user credentials are only available to your home institution. The certificate of your home institution is the only point you need to trust regardless of who operates any intermediate infrastructure.
Be aware though that when using the general Internet at an eduroam hotspot, the local site security measures at that hotspot will apply to you as well. For example, the firewall settings at the visited place may be different from those you are used to at home, and as a guest you may have access to fewer services on the Internet than you have at home.
Does eduroam use a web portal for authentication?
No. Web Portal, Captive Portal or Splash-Screen based authentication mechanisms are not a secure way of accepting eduroam credentials, even if the website is protected by an HTTPS secure connection.
What if a webpage asks for my username or password?
eduroam will never show a webpage asking for your username and/or password. This is a sign that someone is attempting to hijack your password - do not use any network that requests this information.
I heard that my university credentials can leak to attackers under some circumstances. What’s this about?
The security model in eduroam is well thought-out and extensively studied (see for example the security section in RFC7593). Your credentials are well-protected as long as your device is correctly configured; such correct configuration is crucial. As long as the needed configuration items are correctly configured, any of the authentication types used in eduroam (PEAP, TTLS-PAP, EAP-TLS) are secure.
Your eduroam Identity Provider provides you at minimum with installation instructions which allow the correct and secure configuration - the most critical bit in those being that you configure your device to trust a specific Certification Authority (CA) and the name of the Identity Provider’s server name.
Many eduroam Identity Providers go a step further and provide you with installation programs or configuration files which convey the security-relevant information with a simple click-through process. One such is “eduroam CAT” including the “geteduroam” Apps - you may want to check if your institution is listed.
Do make use of the installation programs and/or configuration instructions provided by your eduroam Identity Provider to be safe from attacks.
If you do not follow the configuration instructions, or in the unlikely case that your eduroam Identity Provider does not provide you with such, then the account data you use to log in into eduroam is indeed at risk against so-called Man-in-the-Middle attacks. For eduroam Identity Providers, not providing sufficient configuration instructions is against the eduroam participation policy. We welcome notices of such cases.
P.S.: this problem space is not specific to eduroam - any deployment of Enterprise Wi-Fi is in the same position.