Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 1 subscriber
  • Views 93903 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Updates over https

faygate

For the past 3 or 4 years we have posed the question to Sophos as to why we cannot update our clients out in the field using a web CID over https. So far this has failed to materialise, which I found bizarre for a company that deals with security. We are a large University and to ensure we our students and staff are protected from viruses and malware, they are allowed to install Sophos on their computers. Now as we like to ensure that we adhere to our licence our users must update Sophos using their University credentials.

As our University credentials are being used to grant access to more and more sensitive systems, this is becoming a real security issue and we are not happy about this credentials being passed over effectively in plain text! Of course we'd have the overhead of the encryption on our webservers, but I'm happy to take that hit and the servers can handle it.

Does anyway else have this requirement for updates via https? I can't believe we are the only ones.

My understanding is that this is now being discussed as a feature request, but it would be good to have some more people on board. Please post your comments below.

Regards, Richard

:226


This thread was automatically locked due to age.
Parents
  • 0

    I really don't understand what the problem is.

    Allow only unsecure authentification, no option for use https?

    Sniffing Communication is easier than build a SSL-Proxy, so it's very easy to fetch all of our useraccounts. You can do that with your android mobile at wlan (ok, ours is secured against that).

    Because of our license we have to ensure that only valid members of our university gets updates (including students). Only way is to use their personal accounts or to break license agreement. Changing a static user account for webdownloads periodicaly is not an answer...

    Why the hell it's not possible to switch at Auto-Update Client from http to https - whether or not a cert is trusted? If you don't have that need at your firm, you don't have to switch to https. If you have to ensure license agreement and whish a higer security you need https as a basic security for user accounts. It's really better to have an tls-wrapped user account over the wire than clear text.

    :54926
Reply
  • 0

    I really don't understand what the problem is.

    Allow only unsecure authentification, no option for use https?

    Sniffing Communication is easier than build a SSL-Proxy, so it's very easy to fetch all of our useraccounts. You can do that with your android mobile at wlan (ok, ours is secured against that).

    Because of our license we have to ensure that only valid members of our university gets updates (including students). Only way is to use their personal accounts or to break license agreement. Changing a static user account for webdownloads periodicaly is not an answer...

    Why the hell it's not possible to switch at Auto-Update Client from http to https - whether or not a cert is trusted? If you don't have that need at your firm, you don't have to switch to https. If you have to ensure license agreement and whish a higer security you need https as a basic security for user accounts. It's really better to have an tls-wrapped user account over the wire than clear text.

    :54926
Children
No Data