Date: Thu, 27 Jul 2000 11:33:38 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Adam Furman <afurman@amf.net> Cc: "Mire, John" <jmire@lsuhsc.edu>, freebsd-security@freebsd.org Subject: Re: NetMAX-Firewall with Router Message-ID: <Pine.NEB.3.96L.1000727113002.93015E-100000@fledge.watson.org> In-Reply-To: <20000726182011.A76667@delsol.sunfire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Jul 2000, Adam Furman wrote: > and leaves Telnet open. The web software isn't even running over HTTPS if > you want to go into security. From what they have told me they are a I've actually had to address the problem of initial configuration for a number of embedded network devices, and am not sure your comment about HTTPS is all that useful for initial configuration. HTTP over SSL generally uses an x.509 certificate, which binds a DNS name to a key using a known authority. In order for the device to be shipped from the factory to use a globally recognized certificate, the manafacturor would have to know (in advance) the hostname you were going to access it via, and generate a certificate per box, at a non-trivial cost if they use a standard certificate authority. In practice, for el-cheapo firewall software (and in fact, almost everything else), this is just not realistic. Now, what you can do is ship, on a piece of paper, the certificate or key fingerprints for various services, and include instructions for verifying that the key is correct using the fingerprint. But in that situation, you'll get complaints from users about obscure and insecure interfaces :-). Besides which, until recently, manual certificate verification has been rather broken in both IE and NS, meaning that doing this puts you at risk. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000727113002.93015E-100000>