-2

If I use my university's wifi, what can they see when I use apps in my phone? Could they see my tumblr blogs, for example? If I was using just the tumblr app downloaded on my phone and uploading things to my various blogs, could they see that?

Dani
  • 1
  • 2
    I don't like the fact that the suggested duplicate is also marked as a duplicate but it does address the situation and refers to its own duplicate which gives more thorough details. – Julie Pelletier Aug 23 '16 at 05:56
  • StackExchange isn't efficient on question with multiple targets. Try to focus before shooting :). – dan Aug 23 '16 at 07:30

2 Answers2

0

If you are using an unencrypted connection, they could potentially see everything that you do. They could read everything you send and receive over their network.

If you are using an encrypted connection, which is much more likely, all they can see is to whom you are connecting and what protocol you are using. Most modern systems and protocols use encryption.

If you use a VPN or proxy, they wouldn't be able to see really anything except that you are using the VPN/proxy.

The most likey scenario is that you are using an encrypted connection, so all they should be able to see is to whom you are connecting, but they won't be able to read any of the data you send or receive.

theJack
  • 131
  • 4
0

Tumblr does not enforce an encrypted session over https. So yes, you will be found out.

However, let's just say that Tumblr enforced https tomorrow.

In this case you are secure, even if your connection to the proxy is NOT encrypted.

This is because the proxy knows that you are connecting to a secure website, and therefore does not act as an http proxy for you.

It instead acts as a binary proxy, sending and receiving bits and bytes, and leaving all of the encryption to occur directly between your browser and the Tumblr web server.

The proxy would not be able to decrypt the session, because if it did, you would know because the green lock on your browser would turn to red.

Let's say that you visit two secure Tumblr sites using https, Only Cute Puppies and Hate Puppies.

(Disclaimer: Hate Puppies site, you have been reported)

Let's look at the IP addresses of these Tumblr sites (same for web as for phone app)

  • Name: onlycutepuppies.tumblr.com

    • Address: 66.6.32.21
    • Address: 66.6.33.21
    • Address: 66.6.33.149
  • Name: hate-puppies.tumblr.com

    • Address: 66.6.32.21
    • Address: 66.6.33.21
    • Address: 66.6.33.149

The sequence goes like this:

  1. Browser to proxy: I want a secure connection to Tumblr (66.6.32.21). I'm not going to tell you the full URL because my user has told me to use https. by the way this is called a CONNECT request.
  2. Proxy to Tumblr: I'd like a connection please to your server. I'm not sure what the URL is because I haven't been told.
  3. Tumblr replies to proxy: ok, here's a secure connection I've opened, just for you.
  4. Proxy replies to browser: ok, here's a secure, encrypted connection that you can use.
  5. Browser to Tumblr: wait, how do I know that this is secure?
  6. Tumblr to browser: tell you what, encrypt something using my public key (only I have the private key, hee hee).
  7. Browser to Tumblr: here's the encrypted message: sg!nio8o4883r#$Rcf34R3c
  8. Tumblr to browser: OK I've decrypted that using my private key...that was "secretpassword" right?
  9. Browser to Tumblr: yeah! OK, please connect me to onlycutepuppies.tumblr.com
  10. Tumblr to Browser: here you go, here the HTML for the home page.
  11. Proxy says nothing to both, thinking (don't mind me, all I see is gibberish). :-(
  • 1
    The client will do a CONNECT request to "hate-puppies.tumblr.com", not to 66.6.32.21. So the hostname is sent in plaintext and can be read by others. – Sjoerd Aug 23 '16 at 06:50