Protection of eduroam credentials

1. How is eduroam different from a VPN in terms of security?

Eduroam is only an infrastructure for authentication, it allows your institution's servers to prove that you're indeed the person that you claim to be. It only authenticates you, but doesn't tunnel your traffic or similar - your traffic is still at the mercy of whatever network you're connecting to, so you have to trust that network and its administrators to not be malicious or only use secure protocols such as HTTPS.

2. Is it any less secure to connect to eduroam somewhere other than my home institution?

Your Eduroam credentials are safe and only your home institution can see them. Your traffic is less safe and you have to trust the network and its administrators, though EAP uses a different key per user so someone else on the network wouldn't be able to eavesdrop on your traffic like they can with open or PSK-protected networks.

I'll leave the last two questions to someone else as I'm not 100% sure.

Subquestions 1 and 2 are already answered, so I take the other two:

3. How do I know that my credentials are encrypted between my device, the access point I'm connected to, and the authentication servers?

Make sure that you use an encrypted WLAN connection (otherwise your credentials can be sniffed from the air) and secure protocols like https. Then you needn't worry about security of eduroam.

4. Is there a centralized database of domains and authentication servers (i.e. how does it know which server to check for [email protected] and [email protected])?

No there isn't. eduroam knows from the right-hand side of the @ sign which institution to contact.

eduroam is based on 802.1X and WPA-Enterprise / WPA-EAP standards.

1. It is different from VPN in that your home institution is only performing the authentication; your data is secured with WPA in-air, but is then subject to whatever internet your local physical location is willing to provide you with.

2. Yes, it's less safe to use eduroam outside of your local campus, because, apart from the authentication performed by your home institution, all internet traffic will be originating through a local network where you're physically located (without being tunnelled through your home). E.g., you'll have a different IP address on a different network, which will also affect online access to academic subscriptions like IEEE Xplore.

3. This is the best question! Apparently, according to Obtain credentials by spoofing WPA/WPA2 Enterprise network? and Certificate validation with 802.1x PEAP, it's unclear whether any automatic protections are implemented in popular devices. According to UWaterloo's IST, there appears to be a web-site called eduroam Configuration Assistant Tool, located at https://cat.eduroam.org/, where you can download the settings for your institution and operating system combination, and these appear to include some sort of a root certificate (however, it appears to be a CA unrelated to the institution in question, so, it doesn't appear that any sort of real pinning is there (e.g., the eduroam CAT settings for Waterloo simply have a couple of GlobalSign root certs from Belgium, and it does match up the official instructions for Ubuntu, too -- go figure; I guess the idea is that a CA is to be trusted to always continue re-issuing the certificates to the institution annually or as needed, and to never issue certificates for the institution to an unrelated entity)).

4. Yes, at cat.eduroam.org as per above, and Ottawa is listed. However, a brief glance leads me to believe that it is not updated too frequently, as the U.S.A. is missing newer members such as University of Houston, Rice University and UTSA, for example.