Can my employer see websites viewed on personal phone using corporate Wifi?
There is more than just HTTP to consider here...
WiFi
WiFi by it's very nature is an incredibly open technology. Anyone with an antenna and radio in your proximity can collect traffic.
The WiFi network itself can be encrypted, but there are many ways to get around this. If you're connecting to a company network, then it's probable that others nearby also have the password.
Capture and Archive
Remember - the network administrator can see all traffic that passes on their network, and there is nothing to stop them from capturing and archiving it.
If a weakness was discovered in a "secure" session, then any collected data could be compromised and potentially decrypted.
If computing power advances sufficiently, brute-forcing could be a viable option to get the plain-text data.
It's unlikely that an average company would log significant accounts of "on the wire" traffic.
Attribution
Traffic can be tied directly to your phone, based on your device's MAC address.
"MAC Address Randomisation" has been provided more recently... however in some cases this is not enough to properly anonymize the traffic.
DNS
For a standard phone setup, DNS queries are easily visible to the network operator and your neighbours. For example, your phone asking for the IP address for google.com, or mail.google.com.
It's possible, but I'd suggest unlikely that a company would log DNS queries - unless they are of a reasonable size.
IP Addressing
Communicating with another system on the network / internet requires that packets are directed accordingly using the remote system's IP address.
In many cases this will identify the site, or the company that you're communicating with directly (i.e: Google servers only host Google services). However many smaller sites use shared hosting (i.e: multiple websites on a single server), making it less implicit which website you were browsing.
HTTP (no SSL)
Typically the actual web traffic will be encrypted using SSL / HTTPS. But remember that there are still websites that don't enforce or even provide HTTPS support, so in these cases, all traffic can be "seen".
HTTPS
For websites using HTTPS (ignoring the DNS information above), it's now possible to host multiple domains on a single server using Server Name Indication. This permits the server to respond to the handshake with the correct SSL certificate, depending on which domain the client requested information from.
In this case, the hostname is still sent in plain-text as part of the handshake and is therefore visible.
Man in the Middle
In the case where HTTPS is used, there are still possibilities for the network operator to decrypt your traffic. Many companies run a proxy, installing a certificate on employee devices (laptops, phones, etc...).
In this case you are vulnerable to a "Man in the Middle" attack - your employer can decrypt all of the traffic, offer proxy-type services (e.g: content filtering, caching, etc...), and then potentially forward your request on to the destination server using the "correct" certificate.
This is unlikely for a personal device.
This is also somewhat mitigated by DNS Certification Authority Authorization... unless the operator spoofs the DNS responses for this too. I don't know if browsers cache the DNS CAA responses at all...
VPN
If you're using a VPN, with everything configured correctly, then it's probable that only the VPN server's DNS record will leak locally (presuming you're not using a direct IP), but my statement above about captured and archived traffic still stands. You also need to trust your VPN provider.
However, if your VPN setup isn't configured correctly, then DNS queries can still leak quite easily.
In summary, assume that:
- A network operator (and anyone nearby) can see all traffic.
- A network operator can definitely see the IP address of the remote server you're communicating with.
- It's almost certain that the network operator can see the hostname of the site you're communicating with (e.g:
google.com).- The hostname will leak via DNS.
- The hostname will probably leak via SNI too (part of the SSL handshake)
- The schema can be inferred (e.g:
https://). - It's very possible that corporate devices have their traffic decrypted at a proxy. It is otherwise unlikely that others can easily "see" your decrypted traffic.
- Any captured data could be valuable in the future - encryption is really a temporary measure - until a vulnerability is found, or computing power advances enough to make brute-forcing trivial.
Related videos on Youtube
00 : 52
03 : 16
07 : 03
06 : 43
14 : 59
Jim D
Updated on September 18, 2022Comments
-
Jim D over 1 year
I have a question that no one has been able to answer properly on the net. If I use a personal iPhone, connected to my company’s guest WiFi, and browse to, say,
https://google.com/news, does my employer see/log:https://google.com(i.e. the/newsis hidden)- the full URL
Some answers have said that HTTPS encrypts part of the URL, others say the full URL will be caught on router log.
Most people who have answered me say that Scenario 1 is most likely ie that the URL detail after the “/“ remains invisible because of the HTTPS connection and therefore not caught on router log. Others say that the network admin can see and record anything (which for me seems to defeat one of the main points of HTTPS? Again, this is a personal IPhone that no one has access to.
-
Ron Maupin over 5 yearsYou must assume that the administrators of a network can monitor all the traffic on their network. -
Jim D over 5 yearsThanks Ron. There are conflicting views on here. Some say the specific web page is hidden (rather than the Domain, which everyone agrees is visible), some say it is not.
-
Ron Maupin over 5 yearsBelieve me, there are ways that enterprise network administrators can monitor everything that happens on the network, and they are foolish if they do not do that. A business can be sued and have its network seized if it is found to have illegal activity. For example, an employee using it to view child pornography. The Feds will come in and shut down and seize the network. That is why so many businesses now outsource guest networks to companies that will deal with illegal activity and take the risk.
-
Jim D over 5 yearsThanks Ron. Certainly nothing as extreme as that but I take the point!
-
Ron Maupin over 5 yearsMost likely, there is not some person watching everything, but there are automated ways to monitor all the activity, and flag to a live person if something seems untoward. There are software and services to which companies can subscribe that is always being updated. My company has such a service, and it (I think) is too restrictive, blocking legitimate attempts to Internet requests, and we must fill out a bunch of paperwork detailing why a site or service is legitimate if it is on the service list.
-
Jim D over 5 yearsThanks Ron. Would you flag it it to your IT/pre empty the problem? This was just a slightly risqué twitter page without anything in the page name that was risqué. Or let sleeping dogs lie?
-
Ron Maupin over 5 yearsIf you haven't heard anything, then you are probably OK.
-
Jim D over 5 yearsThanks. So should my base assumption be that they have seen the full URL? I accidentally connected for a short time to a NSFW twitter page without realising my personal phone was connected to the guest Wifi at work.
-
Attie over 5 yearsI would presume that you're fine... just be careful not to do it again. Especially as this probably breaches their usage policy.
-
Jim D over 5 yearsThanks. You are very helpful. Are you saying it should be “fine” because the URL is buried in thousands of others, or because there is a chance they can’t see the full URL ie nothing after twitter.com?
-
Appleoddity over 5 yearsDownvoting as this answer is not only overly complicated it doesn’t answer the question and suggests several other “possibilities” that are either completely irrelevant or are so unlikely it’s not even worth mentioning.
-
Nordlys Jeger over 5 years@Appleoddity what of it is completely unlikely? Do you mean this:"Anyone with an antenna and radio in your proximity can collect traffic." ? -
Appleoddity over 5 years@NordlysJeger a very specific question was asked. Basically, can my employer see the information after the domain name? Covering all this extra stuff is not inaccurate, but only leads to confusion as most of it doesn’t even apply to the very specific question. You can see it confused the OP who indicated he still doesn’t understand.
-
Appleoddity over 5 years@NordlysJeger specifically to you, the suggestion others might see encrypted traffic is irrelevant and obvious, and a man in the middle attack is almost completely unfeasible if this device has not been modified or the user has not been tricked in some way, which in itself could prove to be illegal by the company.
-
confetti over 5 years@Appleoddity Are you saying a MITM attack is not possible unless OP's iPhone has been modified? Me and mitmproxy would argue against that, depending on how the network is setup. -
Jim D over 5 yearsThanks. Does this mean you (generally) agree with my scenario 1 ie there is a DNS request that is just google.com and then a handshake and only the receiving server sees the request for “/news”? Ie the “/news” is not logged on router logs?
-
Jim D over 5 yearsThanks, Apple. That’s very helpful. So the company’s router wouldn’t “see” and therefore log anything after the domain name?
-
Attie over 5 years@Appleoddity just because I guessed what happened for OP before writing my answer doesn't mean I should leave out technical (and relevant) details. "Can the full URL be seen by my employer?" - see above for ways in which they might be able to identify what you did. I have added the "in summary" section to try to make it less confusing.
-
Ultrasonic54321 over 5 yearsYou can eliminate DNS-based monitoring by using a ”DNS-over-HTTPS” server like Google Public DNS (8.8.8.8/8.8.4.4) or by using Cloudflare’s 1.1.1.1 (1.1.1.1/1.0.0.1). -
Attie over 5 years@Ultrasonic54321 Indeed, but it's not just a matter of directing DNS queries at those hosts...
-
Appleoddity over 5 years@JimD yes, that is correct.
-
Jim D over 5 yearsThanks. This is helpful and sets my mind at rest (somewhat). Does the analysis change if the company is using a web proxy?
-
Christopher Hostage over 5 yearsMaybe. Familiarize yourself with WireShark and other tools, and see what the actual packets leaving your PC say. I just tried it in Chrome and Firefox on PC and Mac to confirm that scenario #1 appears to be the case. But don't take my word for it - test it yourself using multiple tools. Look into the Mac/*nix tool "dig" as well. And mind my original answer - assume that your employer can see everything.
-
Hello about 4 years@Appleoddity, but for your number 3:
Your sign in name if you had to enter it to connect to WiFi. Your answer is the company may not even know who’s phone it is that is on their network. I don't understand it. You login the wifi with your name, the company should can locate who are you. Is it right?
