Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 1 subscriber
  • Views 94947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Updates over https

faygate

For the past 3 or 4 years we have posed the question to Sophos as to why we cannot update our clients out in the field using a web CID over https. So far this has failed to materialise, which I found bizarre for a company that deals with security. We are a large University and to ensure we our students and staff are protected from viruses and malware, they are allowed to install Sophos on their computers. Now as we like to ensure that we adhere to our licence our users must update Sophos using their University credentials.

As our University credentials are being used to grant access to more and more sensitive systems, this is becoming a real security issue and we are not happy about this credentials being passed over effectively in plain text! Of course we'd have the overhead of the encryption on our webservers, but I'm happy to take that hit and the servers can handle it.

Does anyway else have this requirement for updates via https? I can't believe we are the only ones.

My understanding is that this is now being discussed as a feature request, but it would be good to have some more people on board. Please post your comments below.

Regards, Richard

:226


This thread was automatically locked due to age.
Parents
  • 0

    Thanks, John, for your detailed explanation.

    Re-reading your post I think there are two distinct cases

    A) fetching updates from Sophos

    B) fetching updates from your site's server(s)

    A) does not use HTTP authentication (neither from SUM nor from AutoUpdate). Guess it requires some effort to extract the license so that someone could actually use someone else's license details to download software and updates from Sophos. The problem is, though, that if a client is configured for updating from Sophos it can continue to do so even if its owner is no longer eligible (but that has nothing to do with HTTPS).

    B) does use HTTP authentication. If basic authentication is used (or tried by the client for whatever reason - I have seen it during tests where the webserver only accepted NTLM) then the credentials are practically in plain text.

    Now I think that if a site makes sensitive data accessible "over the web" it's very likely that it uses https and that it already has one or more certificates for this purpose - and that an error will easily be detected because something else besides AutoUpdate will fail. So if https were an option I (and probably others) could use it immediately.

    BTW: anyone using an authenticating proxy to connect to an internal web-CID? This would be another challenge ...

    Christian

    :3127
Reply
  • 0

    Thanks, John, for your detailed explanation.

    Re-reading your post I think there are two distinct cases

    A) fetching updates from Sophos

    B) fetching updates from your site's server(s)

    A) does not use HTTP authentication (neither from SUM nor from AutoUpdate). Guess it requires some effort to extract the license so that someone could actually use someone else's license details to download software and updates from Sophos. The problem is, though, that if a client is configured for updating from Sophos it can continue to do so even if its owner is no longer eligible (but that has nothing to do with HTTPS).

    B) does use HTTP authentication. If basic authentication is used (or tried by the client for whatever reason - I have seen it during tests where the webserver only accepted NTLM) then the credentials are practically in plain text.

    Now I think that if a site makes sensitive data accessible "over the web" it's very likely that it uses https and that it already has one or more certificates for this purpose - and that an error will easily be detected because something else besides AutoUpdate will fail. So if https were an option I (and probably others) could use it immediately.

    BTW: anyone using an authenticating proxy to connect to an internal web-CID? This would be another challenge ...

    Christian

    :3127
Children
No Data
Unfiltered HTML