Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 1 subscriber
  • Views 94943 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Updates over https

faygate

For the past 3 or 4 years we have posed the question to Sophos as to why we cannot update our clients out in the field using a web CID over https. So far this has failed to materialise, which I found bizarre for a company that deals with security. We are a large University and to ensure we our students and staff are protected from viruses and malware, they are allowed to install Sophos on their computers. Now as we like to ensure that we adhere to our licence our users must update Sophos using their University credentials.

As our University credentials are being used to grant access to more and more sensitive systems, this is becoming a real security issue and we are not happy about this credentials being passed over effectively in plain text! Of course we'd have the overhead of the encryption on our webservers, but I'm happy to take that hit and the servers can handle it.

Does anyway else have this requirement for updates via https? I can't believe we are the only ones.

My understanding is that this is now being discussed as a feature request, but it would be good to have some more people on board. Please post your comments below.

Regards, Richard

:226


This thread was automatically locked due to age.
  • 0

    The EMLib server already has a CA cert (afaik). Can't that be used somehow? Give the ability to spit a cert out of EMLib to use on the server, then whack that into IIS or Apache. Client already has the cert, uses it for trust...

    Or, flip the idea... have an option in EMLib to add self-signed root CAs, which the updating clients will pull down. If it should have to change you add the new one, SAU downloads it, adds it to its own trust, off you go.

    Just ideas, anyway :)

    :3407
  • 0

    Has anyone managed to do anything successful on remote clients and the EM console? we have many laptops that are not on LAN often enough and we are unable to know how there doing.

    :3493
  • 0

    Hello Sunlight

    is your question about managing the laptops with SEC? If so, you should start a new thread

    Christian

    :3498
  • 0

    I think the existing management certs don't have the right categories to cover http traffic, and don't have the right host information. But that could be changed. However we support updating endpoints that aren't managed, so that would have to be handled in some fashion.

    Similarly adding certificates to the update stream runs into interesting chain of trust issues. For example what happens if a user installs SAV Linux from a tarfile and configures updating from a SUM CID? Do they just automatically trust the first certificates they download?

    :3506
  • 0

    I really don't understand what the problem is.

    Allow only unsecure authentification, no option for use https?

    Sniffing Communication is easier than build a SSL-Proxy, so it's very easy to fetch all of our useraccounts. You can do that with your android mobile at wlan (ok, ours is secured against that).

    Because of our license we have to ensure that only valid members of our university gets updates (including students). Only way is to use their personal accounts or to break license agreement. Changing a static user account for webdownloads periodicaly is not an answer...

    Why the hell it's not possible to switch at Auto-Update Client from http to https - whether or not a cert is trusted? If you don't have that need at your firm, you don't have to switch to https. If you have to ensure license agreement and whish a higer security you need https as a basic security for user accounts. It's really better to have an tls-wrapped user account over the wire than clear text.

    :54926
  • 0

    Hello Oliver_Jury,

    please note that I am neither Sophos nor in any way affiliated with them, this is my personal opinion only.

    HTTPS can serve several purposes: (mutual) authentication, confidentiality and integrity. HTTPS is rarely used for client authentication anyway, the (AL)Update protocol takes care of server authentication and integrity - so it's "only" confidentiality which is missing with HTTP.

    Now, if you are using their personal accounts - how does this go with endpoint management? The updating policy can't be changed on a managed (Windows) endpoint - except using a hack and the the endpoints would be non-compliant. Thus clearly it's not expected that you use individual or even personal accounts.

    you have to ensure license agreement

    The risk is that a) users no longer entitled will continue to use Sophos, b) someone else uses sniffed credentials to download and update Sophos. Would definitely create a lot of publicity of b) were common. It's expected that you monitor your webserver for an unreasonable number of downloads but even if you fail to do so - so what? You could bring forward the argument that you are paying for leeches and Sophos doesn't adequately protect you from this.

    Sophos is definitely aware of case a) as well. I've had some off-the-record discussions about this topic. Sophos won't pursue you as long as your ex-users (ex-students) don't (regularly) update from the Sophos CDN (otherwise they won't be able to find out anyway).   

    In short: Use a common account (or a few). Make sure you maintain control over your license credentials (if you really have endpoints where they are needed). Observe the license terms but don't overinterpret them. And otherwise don't worry, it's Sophos' problem.   

    :smileytongue:N.B.: Any ex-student feeling the urge to install Sophos on his or her new laptop and sufficiently proficient to install it from a WebCID is entitled to a free license for the lifetime of the device :smileywink: :smileytongue:

    Christian

    :54945
  • 0

    Hi,

    our users are entitled for Homeuse. And we only give them access to update from our own Server(s).

    The Servers who serves this downloads doing this only via Web. No Domain, no managed clients!

    These clients are never ever get managed!

    The sniffed account can be used for every service at our university encluded Portalservices which hosting personal data, communities, mail, exams and so on. So I don't have a problem that the sniffed accounts could be use to download Sophos updates...

    Other Universities with same contract have exactly same problem.

    We have about 18.000 user accounts - do you really think I could stay at unsecure download method?

    :54946
  • 0

    Hello Oliver_Jury,

    Homeuse

    thought as much :smileyhappy:. How about letting them accept an agreement for home use which requires them to uninstall Sophos when they are no longer with the university? It's clear (to Sophos) that you can't  police the home users (can you enforce that they only use one copy?) so this should (IMO!) suffice to comply with the license terms. If you want to do more than that you can still change the static account at reasonable intervals. 

    Christian

    :54950
  • 0

    >>> you can still change the static account at reasonable intervals. 

    Years ago download URL for Windows changed from .../ESXP  to .../SAVanyything.

    Till today I see at Error.log from Webservers that there much PC at our university who tries to download from the old URL.

    I wrote letters to their administrators (several times), but some of them weren't changed till now...

    Don't think that this a good idea. Better have an unlicensed PC somewhere than many unsave systems out there.

    >>>How about letting them accept an agreement for home use...

    I wrote a letter to our Sophos Representatives if we could use a static account for these downloads with possibility that former members of our university could download updates. Still waiting for an answer.

    :54951
Unfiltered HTML