Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 1 subscriber
  • Views 94934 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Updates over https

faygate

For the past 3 or 4 years we have posed the question to Sophos as to why we cannot update our clients out in the field using a web CID over https. So far this has failed to materialise, which I found bizarre for a company that deals with security. We are a large University and to ensure we our students and staff are protected from viruses and malware, they are allowed to install Sophos on their computers. Now as we like to ensure that we adhere to our licence our users must update Sophos using their University credentials.

As our University credentials are being used to grant access to more and more sensitive systems, this is becoming a real security issue and we are not happy about this credentials being passed over effectively in plain text! Of course we'd have the overhead of the encryption on our webservers, but I'm happy to take that hit and the servers can handle it.

Does anyway else have this requirement for updates via https? I can't believe we are the only ones.

My understanding is that this is now being discussed as a feature request, but it would be good to have some more people on board. Please post your comments below.

Regards, Richard

:226


This thread was automatically locked due to age.
Parents
  • 0

    Hi all

    This discussion makes me wonder......

    In my position as CISSP i´ve heard a lot of rumors regarding to security and https instead of http.

    Most of these rumors are true, some are completly out of sentence...

    To bring some light in:

    1.)  First of all "https" is primary used to encrypt the whole transport process to ensure the context is not readable for others.

    As sophos updates are checksummed it is not possible to manipulate the files for the update process in a way that impacts the endpoint

    So there is no advantage to encrypt the whole transport process as long as the files are save against manipulation.

    2.) Using user accounts, who have local login rights, against a webserver for updating produce a risk to be hacked.

          Therfore the use of "https" is more secure to hide user accounts from being sniffed.

    This is wrong! Every traffic over ssl like https resolve in more or less curious people who want to look at.

    E.g: look at http://www.youtube.com/watch?v=XtaAuhQWvcg for a tiny https attack using backtrack to "man in the middle" an https stream.

    Looking at this, brings back to mind that in an https stream an password encrytion does not really exist, its simply base64 encoded.

    As a result a user acount is not really more secure using https than with http and using NTLM authentication!

    Additional to the above:

    The overhead for the encrypt / decrypt process on a webserver is rising exponential and slows down the  update server himself aswell as the endpoiints in summary.

    As Sophos AutoUpdate process support NTLM authentication against a webserver what might deliver an more adequate encryption for user passwords than https does......

    However, from a security aspect it makes most sence to decouple an update user from an existing user who has local login rights. 

    :569
Reply
  • 0

    Hi all

    This discussion makes me wonder......

    In my position as CISSP i´ve heard a lot of rumors regarding to security and https instead of http.

    Most of these rumors are true, some are completly out of sentence...

    To bring some light in:

    1.)  First of all "https" is primary used to encrypt the whole transport process to ensure the context is not readable for others.

    As sophos updates are checksummed it is not possible to manipulate the files for the update process in a way that impacts the endpoint

    So there is no advantage to encrypt the whole transport process as long as the files are save against manipulation.

    2.) Using user accounts, who have local login rights, against a webserver for updating produce a risk to be hacked.

          Therfore the use of "https" is more secure to hide user accounts from being sniffed.

    This is wrong! Every traffic over ssl like https resolve in more or less curious people who want to look at.

    E.g: look at http://www.youtube.com/watch?v=XtaAuhQWvcg for a tiny https attack using backtrack to "man in the middle" an https stream.

    Looking at this, brings back to mind that in an https stream an password encrytion does not really exist, its simply base64 encoded.

    As a result a user acount is not really more secure using https than with http and using NTLM authentication!

    Additional to the above:

    The overhead for the encrypt / decrypt process on a webserver is rising exponential and slows down the  update server himself aswell as the endpoiints in summary.

    As Sophos AutoUpdate process support NTLM authentication against a webserver what might deliver an more adequate encryption for user passwords than https does......

    However, from a security aspect it makes most sence to decouple an update user from an existing user who has local login rights. 

    :569
Children
No Data
Unfiltered HTML