1

I am required to login to the university VPN when I am off-campus, in order to connect to a server to submit assignments for a specific class. Is the university able to see what I am doing while I am connected to the VPN? It is called cisco anyconnect secure mobility client.

Mike Smith
  • 11
  • 2
  • 1
    it's not unheard of for institutions to import their CA into the browser. This would allow them to view all HTTPS traffic. This does require you to take action to install their CA, but technically it could be hidden as part of the VPN installation – Conor Mancone Oct 05 '20 at 01:44
  • 4
    Does this answer your question? [Can my employer see what I do on the internet when I am connected to the company network?](https://security.stackexchange.com/questions/142803/can-my-employer-see-what-i-do-on-the-internet-when-i-am-connected-to-the-company) – Conor Mancone Oct 05 '20 at 01:46
  • 1
    The above may not seem like an exact duplicate but it largely is because the VPN puts you on their network, and installation of the VPN briefly gave them admin access to your machine – Conor Mancone Oct 05 '20 at 01:47

2 Answers2

3

It depends on whether or not the connection to the VPN is a split tunnel connection.

If it's a split tunnel connection, then only connections to hosts that are on the same internal network as the VPN end point are routed through the VPN. All of your other connections (e.g. to public websites such as Google, StackExchange, etc.) are not routed through the VPN. In this case, the operator of the VPN (your university in this case) would only be able to see the hosts that you are connecting to which are on the same internal network as the VPN, and would not be able to see the hosts that you are connecting to which are not on the same internal network as the VPN.

If it's not a split tunnel connection, then all of your connections are routed through the VPN. Therefore, the operator of the VPN would be able to see all of the hosts you are connecting to while you are using the VPN.

A simple way to test whether or not it's split tunnel connection is to do the following: 1) With the VPN deactivated, point your web browser to www.whatismyip.com, and note the address that the site sees you connecting from. 2) Activate the VPN, then point your browser again to www.whatismyip.com, and note the IP address that the site sees you connecting from. If the IP address is the same in both cases, then it's not a split tunnel connection. If the IP address in (2) above is not the same as the IP address in (1) above (i.e. the IP address in (2) above is an IP address assigned to you by the VPN), then it's a split tunnel connection.

Notwithstanding all of the above - if your connection is routed through the VPN, and you connect to a site using HTTPS then (barring a MITM or similar type of attack), the operator of the VPN would be able to see which sites your are connecting to, but would not be able to see the information transferred back and forth between you and the sites that you visit.

mti2935
  • 21,098
  • 2
  • 47
  • 66
  • 1
    In what scenario would a website not use https? It appears most of the websites I visit, and all of my google searches have HTTPS in the URL. Additionally, is a google search page technically its own site that they would be able to see? Or would it simply show up as google? – Mike Smith Oct 05 '20 at 00:17
  • 1
    Yes, SSL/TLS is nearly ubiquitous nowadays. Although, many sites still allow an initial http connection, which the site will then redirect to an https connection. This is an opportunity for a rogue VPN to intercept the http connection and/or perform an `ssl strip` type of attack. See https://security.stackexchange.com/questions/41988/how-does-sslstrip-work. So, to be sure, always check to make sure that connections to sites that you visit while you are connected through your VPN are by way of https. – mti2935 Oct 05 '20 at 00:22
  • Wow, great information, thank you so much for your help! your clearly an intelligent person who will do go things in life I wish you the best – Mike Smith Oct 05 '20 at 00:53
  • 1
    Note: it's not unheard of for institutions to import their CA into the browser. This would allow them to view all HTTPS traffic. This does require you to take action to install their CA, but technically it could be hidden as part of the VPN installation – Conor Mancone Oct 05 '20 at 01:44
  • @mti2935 What if VPN installs own CA? Can VPN see all HTTPS traffic in this case? How do we know that VPN wants to install CA? – user215422 Oct 05 '20 at 06:45
  • 1
    @user215422 Conor Mancone makes a very valid point. See https://security.stackexchange.com/questions/152076/is-it-acceptable-for-an-employer-to-install-a-self-signed-root-certificate-on-em/152081 and https://security.stackexchange.com/questions/171612/employer-wants-me-to-install-root-certificate-to-work-remotely-privacy-concern for more information on this scenario. – mti2935 Oct 05 '20 at 13:21
0

Technically, the VPN is just, as its name says, an encrypted tunnel that allows you to connect to a private network even if you're not inside the network.

No one should be able to see what you do by sniffing the packets between you and the university, however, your university can see all of your traffic just as if you were on the spot.

If your internet traffic goes through the VPN, they can know at least what websites do you visit by looking at the packets destination IP, and also the full clear text traffic if the website does not use HTTPS.

Some VPN infrastructures also use some kind of MITM proxy in order to enforce fake certificates for HTTPS websites and that could also allow them to decrypt your HTTPS traffic, but in this case you would have a warning on your browser saying that the connection is not secure.

  • Thank you for the response! how would I know if my internet traffic goes through the VPN? Assuming it does, for example, they would be able to see I was on google, but not what I was searching for. or that I was on espn.com but not what I was looking at specifically on that site (if its has https) correct? – Mike Smith Oct 04 '20 at 23:51