Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 5862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Useraccounts for downloading are not secure

Oliver_Jury

Hi,

as University we have to archive that only active users get Updates for Endpoint Security (they are allowed for private use). So they use their normal University account for Updating Endpoint Security.

Our security engineer wish to use https instead http for our local download repositories because is it easy to sniff password hashes from http-protocol and these hashes are not very secure (MD5, SHA1 and SHA1 is also known as not secure any longer).

But at Endpoint Security it is not possible to use https!

Whenever you type https://<url to repo> and apply the configuration Sophos Software changes URL back to http://<url to repo>

I didn't tested it at Enterprise Console, how secure is downloads directly from sophos, could I use these hashes to Log me into these repositories too? I think so...

:54875


This thread was automatically locked due to age.
  • 0

    Hi Oliver,

    This question has actually come up numerous times in the past (see /search?q= 226 ) and I don't think it's going to go away.  A lot of us would like https to be used for web updates, even with the additional configuration it requires (mainly to do with certificates).

    If you're using web updates for private use, you probably don't want to distribute your Sophos credentials to end users, and I've a feeling Sophos wouldn't like you to do this either.  I'm not sure how feasible setting up a dummy account for updating would be, as this still allows people to distribute and use the product once their genuine accounts have expired.

    :54895
  • 0

    Have you considered giving out pre-packaged installers for Windows that allow you to include an update-account? This way, you can change the update account every other year. We do this since lots of years.

    Given the low security of http-basic authentication it is clearly not advisable to use regular user accounts for the authentication to the distribution server. That would mean accepting high risks for the corporate network at the small benefit of better control over Sophos distribution. Clearly, Sophos can not expect that we do this as long as they do only offer insecure authentication mechanisms. After all, they are a security company.

    Regards,

    Detlev

    :55003