From owner-freebsd-security Thu Jul 27 8:33:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8A79537C147 for ; Thu, 27 Jul 2000 08:33:52 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA93594; Thu, 27 Jul 2000 11:33:38 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jul 2000 11:33:38 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Adam Furman Cc: "Mire, John" , freebsd-security@freebsd.org Subject: Re: NetMAX-Firewall with Router In-Reply-To: <20000726182011.A76667@delsol.sunfire.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 26 Jul 2000, Adam Furman wrote: > and leaves Telnet open. The web software isn't even running over HTTPS if > you want to go into security. From what they have told me they are a I've actually had to address the problem of initial configuration for a number of embedded network devices, and am not sure your comment about HTTPS is all that useful for initial configuration. HTTP over SSL generally uses an x.509 certificate, which binds a DNS name to a key using a known authority. In order for the device to be shipped from the factory to use a globally recognized certificate, the manafacturor would have to know (in advance) the hostname you were going to access it via, and generate a certificate per box, at a non-trivial cost if they use a standard certificate authority. In practice, for el-cheapo firewall software (and in fact, almost everything else), this is just not realistic. Now, what you can do is ship, on a piece of paper, the certificate or key fingerprints for various services, and include instructions for verifying that the key is correct using the fingerprint. But in that situation, you'll get complaints from users about obscure and insecure interfaces :-). Besides which, until recently, manual certificate verification has been rather broken in both IE and NS, meaning that doing this puts you at risk. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message