I have a question that nobody has been able to answer properly on the internet If I use a personal iPhone, connected to my company’s guest WiFi, and browse to, say, https://google.com/news , does my employer see/log.

  1. https://google.com (i.e. the /news is hidden)
  2. the full URL

Some have said https encrypts part of the url while others say the full url will be caught on the router log

Most people who have answered me say that scenario 1 is most likely ie that the url detail after the “/“ remains invisible because of the https connection and therefore not caught on router log. Some say that the network admin can see and record everything which for me seems to defeat one of the main points of https? This is a personal iphone that no one has access to

Best Answer


There is more than just HTTP to consider here...

WiFi

Wifi is by nature an incredibly open technology Anyone with an antenna or radio in your vicinity can collect traffic

The WiFi network itself can be encrypted, but there are many ways to get around this. If you're connecting to a company network then it's likely that others nearby have the password

Capture and Archive

Remember the network administrator can see all the traffic that passes through their network and there is nothing to stop them from capturing and archiving it

If a weakness was discovered in a " secure " session, then any collected data could be compromised and potentially decrypted.

If computing power advances sufficiently, brute-forcing could be a viable option to get the plain-text data.

It's unlikely that an average company would log significant accounts of wire traffic

Attribution

Traffic can be tied directly to your phone, based on your device's MAC address .

"MAC Address Randomisation" has been provided more recently... however in some cases this is not enough to properly anonymize the traffic.

DNS

For a standard phone setup, DNS queries are easily visible to the network operator and your neighbours. For example, your phone asking for the IP address for google.com , or mail.google.com .

I'd suggest that a company would not log dns requests unless they are of a reasonable size

IP Addressing

Communicating with another system on the network / internet requires that packets are directed accordingly using the remote system's IP address .

In many cases this will identify the site, or the company that you're communicating with directly (i.e: Google servers only host Google services). However many smaller sites use shared hosting (i.e: multiple websites on a single server), making it less implicit which website you were browsing.

HTTP (no SSL)

Typically web traffic is encrypted using ssl https But remember that there are still websites that don't enforce or even provide HTTPS support, so in these cases, all traffic can be " seen ".

HTTPS

For websites using HTTPS (ignoring the DNS information above), it's now possible to host multiple domains on a single server using Server Name Indication . This permits the server to respond to the handshake with the correct ssl certificate depending on which domain the client requested information from

The hostname is still sent as a plain text as part of the handshake and is therefore visible

Man in the Middle

In the case where HTTPS is used, there are still possibilities for the network operator to decrypt your traffic. Many companies run a proxy, installing a certificate on employee devices (laptops, phones, etc...).

In this case you are vulnerable to a "Man in the Middle" attack - your employer can decrypt all of the traffic, offer proxy-type services (e.g: content filtering, caching, etc...), and then potentially forward your request on to the destination server using the " correct " certificate.

It's unlikely it'll happen in personal devices

This is also somewhat mitigated by DNS Certification Authority Authorization ... unless the operator spoofs the DNS responses for this too. I don't know if browsers cache the DNS CAA responses at all...

VPN

If you're using a vpn, with everything configured correctly, then it's probable that only the vpn server's dns record will leak locally (presuming you're not using a direct ip), but my statement above about captured and archived traffic still stands. You should also trust your vpn service provider

However, if your VPN setup isn't configured correctly, then DNS queries can still leak quite easily.


In summary, assume that:

  • A network operator (and anyone nearby) can see all traffic.
  • A network operator can sure see the ip address of the remote server you're communicating with
  • It's almost certain that the network operator can see the hostname of the site you're communicating with (e.g: google.com).
    • The name of the host will leak via dns
    • The hostname will probably leak via SNI too (part of the SSL handshake)
  • The schema can be inferred (e.g: https:// ).
  • It's very possible that corporate devices have their traffic encrypted at a proxy server It is otherwise unlikely that others can easily " see " your decrypted traffic.
  • Any captured data could be valuable in the future - encryption is really just a temporary measure - until a vulnerability is found or computing power increases enough to make brute forcing trivial