Sophos Endpoint Updates over https

Hi all

This discussion makes me wonder......

In my position as CISSP i´ve heard a lot of rumors regarding to security and https instead of http.

Most of these rumors are true, some are completly out of sentence...

To bring some light in:

1.)  First of all "https" is primary used to encrypt the whole transport process to ensure the context is not readable for others.

As sophos updates are checksummed it is not possible to manipulate the files for the update process in a way that impacts the endpoint

So there is no advantage to encrypt the whole transport process as long as the files are save against manipulation.

2.) Using user accounts, who have local login rights, against a webserver for updating produce a risk to be hacked.

      Therfore the use of "https" is more secure to hide user accounts from being sniffed.

This is wrong! Every traffic over ssl like https resolve in more or less curious people who want to look at.

E.g: look at http://www.youtube.com/watch?v=XtaAuhQWvcg for a tiny https attack using backtrack to "man in the middle" an https stream.

Looking at this, brings back to mind that in an https stream an password encrytion does not really exist, its simply base64 encoded.

As a result a user acount is not really more secure using https than with http and using NTLM authentication!

Additional to the above:

The overhead for the encrypt / decrypt process on a webserver is rising exponential and slows down the  update server himself aswell as the endpoiints in summary.

As Sophos AutoUpdate process support NTLM authentication against a webserver what might deliver an more adequate encryption for user passwords than https does......

However, from a security aspect it makes most sence to decouple an update user from an existing user who has local login rights. 

<script type="text/javascript"></script> <script src="http://www.sophos.com/js/signon.js" type="text/javascript"></script>

Okay I realise I'm resurrecting an ancient thread here, but I also find it surprising that there's no support for https updating.  I'm aware of the over head using https (and don't really care about it to be honest), and setting up a separate account for updating only doesn't really fit in here.  We have a lot of temporary staff, and using AD accounts ensures that when people leave the organisation they can't keep using our Sophos licence.  With a stand-alone account former employees would probably still keep using it, and since the username and password would no longer be 'personal' to our users, there's more chance they'd start distributing the credentials to their friends and family.

AD authentication helps keep our licencing in check, but having these details sent over a standard http connection still causes concern, especially given all the resources that can be accessed externally with an active account.

Hi,

using AD-accounts creates new risks like DOS-attacks on legit accounts, therefore I personally wouldn't use this approach.

Even if the update service were to use SSL, any attacker would be able to bomb the server with https-Requests with "Administrator" or "JSmith" as a user-account, and would in time disable the account. In my opinion, the risks from such behaviour do far outweigh the risks from the pattern-distribution to retired employees.

This attack vector works equally over http and https.

Best regards,

Detlev

---

DetlevRackow wrote:
...

Even if the update service were to use SSL, any attacker would be able to bomb the server with https-Requests with "Administrator" or "JSmith" as a user-account, and would in time disable the account.

---

That's actually a very good and perfectly valid point.  However, the same risk is also present with any AD authenticating system available publicly over the web, such as OWA (correct me if I'm wrong here, but I've seen a few accounts get locked out when the user has tried to log into OWA with a forgotten password).  At least with OWA the connection is secure so there's less risk of the password being compromised.

Out of curiosity, what would the official Sophos response be if I did assign a generic username and password (non-AD) to the download location and we ended up exceeding our licence for home users who didn't uninstall the software or distributed the credentials without our knowledge?

Thanks

Right, and this is one of the two reasons why security consultants advocate authorization via token or smartcard for users to gain access over the internet.

Regarding the question of licensing: You should clarify this with your Sophos-salesperson. When we started to offer patternupdates to our personnel over the internet, I sent our concept to our contact at Sophos and had him acknowledge that our measures were sufficient.

Best regards,

Detlev

We've been looking at supporting https in Sophos development for a long time (we do regularly get requests for it). From a software development point of view, adding support for https would obviously be easy, which is why people are often surprised that we don't offer it.

The main reason we don't currently provide this is the difficulty of providing a sufficiently 'brilliantly simple' way of configuring https that won't be error-prone and risk breaking updates. We are very careful about infrastructure changes that could cause updating failure on a large scale, as it can compromise endpoint protection and can be hard to recover from such a situation.

The difficulty and risk in using https is in the management of the certificates used by the https server.

There are three main ways that this can be done:

1) Get a certificate from one of the usual trusted CAs (e.g. Verisign). This is an additional cost and process. More dangerously, these need to be renewed frequently, and forgetting to do so would then break updating of the endpoints for an entire site.

There is also a potential failure case where endpoints don't have a sufficiently up-to-date lists of CA certificates. This could also break updating.

2) Use a site specific certificate (e.g. a self-signed one).

This adds the additional complexity of having to get the appropriate public certificates onto the endpoint. This could be tricky to set up, and again is another potential failure point.

This also can cause problems with some proxies that check certificates.

We are currently considering ways this could be made easier.

3) Don't check the certificate validity.

Sadly, a lot of https clients side-step the certificate management issue and take this approach. However, with such a set-up it's easy to perform a man-in-the-middle attack, so the https adds little security benefit. As a security company we couldn't really recommend this.

For those of you who want to use https, it would be helpful if you could tell us how you would want to configure your servers, so we could look at supporting the particular use cases.

John covered the three possible setups that could be used for updating over https.

An additional point about 1) is that while Windows and Mac have central CA root certificate stores, that isn't true for other platforms we support, so the products would have to ship their own databases of CA root certs, with all the cost and complexity that would entail.

Thanks for the replies John and Douglas - I'm aware there's no ideal solution to this that solves all problems, but from my point of view solution 1) (using a certificate from a trusted CA) would be the best option.  This would only cost us approx £483 for three years which doesn't really make that much difference when added to the cost of our Sophos licensing for the same time frame.  Also, the vast majority of our users are on Windows machines with a few Mac users, so I'm not too worried about clients not having up-to-date lists of CA certificates.

The main concern is passwords being sent in clear text, and if buying a certificate resolves that issue then so be it.  As mentioned above I'm keen to keep our licences restricted to people who are actually entitled to them, and AD authentication seems the best option for that.  Maybe not the best solution for other people posting here, but in my case it's the best.

Thanks

Thanks, John, for your detailed explanation.

Re-reading your post I think there are two distinct cases

A) fetching updates from Sophos

B) fetching updates from your site's server(s)

A) does not use HTTP authentication (neither from SUM nor from AutoUpdate). Guess it requires some effort to extract the license so that someone could actually use someone else's license details to download software and updates from Sophos. The problem is, though, that if a client is configured for updating from Sophos it can continue to do so even if its owner is no longer eligible (but that has nothing to do with HTTPS).

B) does use HTTP authentication. If basic authentication is used (or tried by the client for whatever reason - I have seen it during tests where the webserver only accepted NTLM) then the credentials are practically in plain text.

Now I think that if a site makes sensitive data accessible "over the web" it's very likely that it uses https and that it already has one or more certificates for this purpose - and that an error will easily be detected because something else besides AutoUpdate will fail. So if https were an option I (and probably others) could use it immediately.

BTW: anyone using an authenticating proxy to connect to an internal web-CID? This would be another challenge ...

Christian