I heard that my university credentials can leak to attackers under some circumstances. What’s this about?
The security model in eduroam is well thought-out and extensively studied (see for example the security section in RFC7593). Your credentials are well-protected as long as your device is correctly configured; such correct configuration is crucial. As long as the needed configuration items are correctly configured, any of the authentication types used in eduroam (PEAP, TTLS-PAP, EAP-TLS) are secure.
Yours Identity Provider provides you at minimum with installation instructions which allow the correct and secure configuration - the most critical bit in those being that you configure your device to trust a specific Certification Authority (CA) and the name of the Identity Provider’s server name.
Many eduroam Identity Providers go a step further and provide you with installation programs or configuration files which convey the security-relevant information with a simple click-through process. One such is eduRoam CAT including the geteduroam you may want to check if your institution is listed.
Do make use of the installation programs and/or configuration instructions provided by your eduroam Identity Provider to be safe from attacks.
If you do not follow the configuration instructions, or in the unlikely case that your eduroam Identity Provider does not provide you with such, then the account data you use to log in into eduroam is indeed at risk against so-called Man-in-the-Middle attacks. For eduroam Identity Providers, not providing sufficient configuration instructions is against the eduroam participation policy. We welcome notices of such cases.
P.S.: this problem space is not specific to eduroam - any deployment of Enterprise Wi-Fi is in the same position.
