Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 1 subscriber
  • Views 94961 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Updates over https

faygate

For the past 3 or 4 years we have posed the question to Sophos as to why we cannot update our clients out in the field using a web CID over https. So far this has failed to materialise, which I found bizarre for a company that deals with security. We are a large University and to ensure we our students and staff are protected from viruses and malware, they are allowed to install Sophos on their computers. Now as we like to ensure that we adhere to our licence our users must update Sophos using their University credentials.

As our University credentials are being used to grant access to more and more sensitive systems, this is becoming a real security issue and we are not happy about this credentials being passed over effectively in plain text! Of course we'd have the overhead of the encryption on our webservers, but I'm happy to take that hit and the servers can handle it.

Does anyway else have this requirement for updates via https? I can't believe we are the only ones.

My understanding is that this is now being discussed as a feature request, but it would be good to have some more people on board. Please post your comments below.

Regards, Richard

:226


This thread was automatically locked due to age.
Parents
  • 0

    Hello Oliver_Jury,

    please note that I am neither Sophos nor in any way affiliated with them, this is my personal opinion only.

    HTTPS can serve several purposes: (mutual) authentication, confidentiality and integrity. HTTPS is rarely used for client authentication anyway, the (AL)Update protocol takes care of server authentication and integrity - so it's "only" confidentiality which is missing with HTTP.

    Now, if you are using their personal accounts - how does this go with endpoint management? The updating policy can't be changed on a managed (Windows) endpoint - except using a hack and the the endpoints would be non-compliant. Thus clearly it's not expected that you use individual or even personal accounts.

    you have to ensure license agreement

    The risk is that a) users no longer entitled will continue to use Sophos, b) someone else uses sniffed credentials to download and update Sophos. Would definitely create a lot of publicity of b) were common. It's expected that you monitor your webserver for an unreasonable number of downloads but even if you fail to do so - so what? You could bring forward the argument that you are paying for leeches and Sophos doesn't adequately protect you from this.

    Sophos is definitely aware of case a) as well. I've had some off-the-record discussions about this topic. Sophos won't pursue you as long as your ex-users (ex-students) don't (regularly) update from the Sophos CDN (otherwise they won't be able to find out anyway).   

    In short: Use a common account (or a few). Make sure you maintain control over your license credentials (if you really have endpoints where they are needed). Observe the license terms but don't overinterpret them. And otherwise don't worry, it's Sophos' problem.   

    :smileytongue:N.B.: Any ex-student feeling the urge to install Sophos on his or her new laptop and sufficiently proficient to install it from a WebCID is entitled to a free license for the lifetime of the device :smileywink: :smileytongue:

    Christian

    :54945
Reply
  • 0

    Hello Oliver_Jury,

    please note that I am neither Sophos nor in any way affiliated with them, this is my personal opinion only.

    HTTPS can serve several purposes: (mutual) authentication, confidentiality and integrity. HTTPS is rarely used for client authentication anyway, the (AL)Update protocol takes care of server authentication and integrity - so it's "only" confidentiality which is missing with HTTP.

    Now, if you are using their personal accounts - how does this go with endpoint management? The updating policy can't be changed on a managed (Windows) endpoint - except using a hack and the the endpoints would be non-compliant. Thus clearly it's not expected that you use individual or even personal accounts.

    you have to ensure license agreement

    The risk is that a) users no longer entitled will continue to use Sophos, b) someone else uses sniffed credentials to download and update Sophos. Would definitely create a lot of publicity of b) were common. It's expected that you monitor your webserver for an unreasonable number of downloads but even if you fail to do so - so what? You could bring forward the argument that you are paying for leeches and Sophos doesn't adequately protect you from this.

    Sophos is definitely aware of case a) as well. I've had some off-the-record discussions about this topic. Sophos won't pursue you as long as your ex-users (ex-students) don't (regularly) update from the Sophos CDN (otherwise they won't be able to find out anyway).   

    In short: Use a common account (or a few). Make sure you maintain control over your license credentials (if you really have endpoints where they are needed). Observe the license terms but don't overinterpret them. And otherwise don't worry, it's Sophos' problem.   

    :smileytongue:N.B.: Any ex-student feeling the urge to install Sophos on his or her new laptop and sufficiently proficient to install it from a WebCID is entitled to a free license for the lifetime of the device :smileywink: :smileytongue:

    Christian

    :54945
Children
No Data
Unfiltered HTML