Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 5864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Useraccounts for downloading are not secure

Oliver_Jury

Hi,

as University we have to archive that only active users get Updates for Endpoint Security (they are allowed for private use). So they use their normal University account for Updating Endpoint Security.

Our security engineer wish to use https instead http for our local download repositories because is it easy to sniff password hashes from http-protocol and these hashes are not very secure (MD5, SHA1 and SHA1 is also known as not secure any longer).

But at Endpoint Security it is not possible to use https!

Whenever you type https://<url to repo> and apply the configuration Sophos Software changes URL back to http://<url to repo>

I didn't tested it at Enterprise Console, how secure is downloads directly from sophos, could I use these hashes to Log me into these repositories too? I think so...

:54875


This thread was automatically locked due to age.
Parents
  • 0

    Hi Oliver,

    This question has actually come up numerous times in the past (see /search?q= 226 ) and I don't think it's going to go away.  A lot of us would like https to be used for web updates, even with the additional configuration it requires (mainly to do with certificates).

    If you're using web updates for private use, you probably don't want to distribute your Sophos credentials to end users, and I've a feeling Sophos wouldn't like you to do this either.  I'm not sure how feasible setting up a dummy account for updating would be, as this still allows people to distribute and use the product once their genuine accounts have expired.

    :54895
Reply
  • 0

    Hi Oliver,

    This question has actually come up numerous times in the past (see /search?q= 226 ) and I don't think it's going to go away.  A lot of us would like https to be used for web updates, even with the additional configuration it requires (mainly to do with certificates).

    If you're using web updates for private use, you probably don't want to distribute your Sophos credentials to end users, and I've a feeling Sophos wouldn't like you to do this either.  I'm not sure how feasible setting up a dummy account for updating would be, as this still allows people to distribute and use the product once their genuine accounts have expired.

    :54895
Children
No Data