Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 1 subscriber
  • Views 94944 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Updates over https

faygate

For the past 3 or 4 years we have posed the question to Sophos as to why we cannot update our clients out in the field using a web CID over https. So far this has failed to materialise, which I found bizarre for a company that deals with security. We are a large University and to ensure we our students and staff are protected from viruses and malware, they are allowed to install Sophos on their computers. Now as we like to ensure that we adhere to our licence our users must update Sophos using their University credentials.

As our University credentials are being used to grant access to more and more sensitive systems, this is becoming a real security issue and we are not happy about this credentials being passed over effectively in plain text! Of course we'd have the overhead of the encryption on our webservers, but I'm happy to take that hit and the servers can handle it.

Does anyway else have this requirement for updates via https? I can't believe we are the only ones.

My understanding is that this is now being discussed as a feature request, but it would be good to have some more people on board. Please post your comments below.

Regards, Richard

:226


This thread was automatically locked due to age.
Parents
  • 0

    We've been looking at supporting https in Sophos development for a long time (we do regularly get requests for it). From a software development point of view, adding support for https would obviously be easy, which is why people are often surprised that we don't offer it.

    The main reason we don't currently provide this is the difficulty of providing a sufficiently 'brilliantly simple' way of configuring https that won't be error-prone and risk breaking updates. We are very careful about infrastructure changes that could cause updating failure on a large scale, as it can compromise endpoint protection and can be hard to recover from such a situation.

    The difficulty and risk in using https is in the management of the certificates used by the https server.

    There are three main ways that this can be done:

    1) Get a certificate from one of the usual trusted CAs (e.g. Verisign). This is an additional cost and process. More dangerously, these need to be renewed frequently, and forgetting to do so would then break updating of the endpoints for an entire site.

    There is also a potential failure case where endpoints don't have a sufficiently up-to-date lists of CA certificates. This could also break updating.

    2) Use a site specific certificate (e.g. a self-signed one).

    This adds the additional complexity of having to get the appropriate public certificates onto the endpoint. This could be tricky to set up, and again is another potential failure point.

    This also can cause problems with some proxies that check certificates.

    We are currently considering ways this could be made easier.

    3) Don't check the certificate validity.

    Sadly, a lot of https clients side-step the certificate management issue and take this approach. However, with such a set-up it's easy to perform a man-in-the-middle attack, so the https adds little security benefit. As a security company we couldn't really recommend this.

    For those of you who want to use https, it would be helpful if you could tell us how you would want to configure your servers, so we could look at supporting the particular use cases.

    :3058
Reply
  • 0

    We've been looking at supporting https in Sophos development for a long time (we do regularly get requests for it). From a software development point of view, adding support for https would obviously be easy, which is why people are often surprised that we don't offer it.

    The main reason we don't currently provide this is the difficulty of providing a sufficiently 'brilliantly simple' way of configuring https that won't be error-prone and risk breaking updates. We are very careful about infrastructure changes that could cause updating failure on a large scale, as it can compromise endpoint protection and can be hard to recover from such a situation.

    The difficulty and risk in using https is in the management of the certificates used by the https server.

    There are three main ways that this can be done:

    1) Get a certificate from one of the usual trusted CAs (e.g. Verisign). This is an additional cost and process. More dangerously, these need to be renewed frequently, and forgetting to do so would then break updating of the endpoints for an entire site.

    There is also a potential failure case where endpoints don't have a sufficiently up-to-date lists of CA certificates. This could also break updating.

    2) Use a site specific certificate (e.g. a self-signed one).

    This adds the additional complexity of having to get the appropriate public certificates onto the endpoint. This could be tricky to set up, and again is another potential failure point.

    This also can cause problems with some proxies that check certificates.

    We are currently considering ways this could be made easier.

    3) Don't check the certificate validity.

    Sadly, a lot of https clients side-step the certificate management issue and take this approach. However, with such a set-up it's easy to perform a man-in-the-middle attack, so the https adds little security benefit. As a security company we couldn't really recommend this.

    For those of you who want to use https, it would be helpful if you could tell us how you would want to configure your servers, so we could look at supporting the particular use cases.

    :3058
Children
No Data
Unfiltered HTML