make Sophos Endpoint updates by WebCID possible over HTTPS
Please make it possible to use HTTPS for WebCID updates of the product Sophos Endpoint Protection. Now only HTTP is possible, this is undesirable because authentication details (credentials) are being sent over the internet in plain text.
Hi All, please add support for HTTPS allowing for mutual authentication between domain joined systems and Sophos. The situation is that if domain credentials are going to be passed in the clear across an untrusted bearer (that being the internet), then the real security consideration shouldn't be about the DMZ hosted Sophos server but what CAN be done to impact an organisation if those credentials were intercepted in transit. Realistically, domain joined systems should be able to present a computer client authentication certificate to the web service hosted in the DMZ, the server should validate it, and likewise, the client should validate the server certificate. From there, the credentials could then be passed securely and address the roaming workstation Sophos update problem no matter where they are connecting from. This seems like a very sensible thing to do and has the added benefit of not exposing the web service to DOS/Resource Exhaustion risk from non domain joined systems. Mitigating a potential credential exposure point from a compromise of the transport and not having to worry about it is fundamentally good security practice. Sure, a compromise of the server or client and extracting the credentials that way or via social engineering are valid scenarios, but that isn't specific to the Sophos solution that is offered. Thanks for listening, hopefully this can become a reality. PS... It would be nice to be able to force RMS to use TLS1.1 and TLS1.2 and to remove support for TLS1.0 which is being deprecated based on PCI DSS standards.
please add this!
Please allow us to update over HTTPS. A security product pulling definitions and binaries over the Internet via HTTP is laughable.
Please allow updates of HTTPS
This has been unresolved since at least 2009. Needs implementing, at least as an option. That way those that want it, get it. Those that don't can just ignore it.
Brian Weirich commented
How is lacking this feature even remotely acceptable to Sophos staff? In the event of having a traveling employee (and these types often need access to sensitive data) we have to create another security hole, whose credentials are easily captured, ensure that account is sufficiently restricted, manage password changes of that account, and monitor the network for intrusions from that account all because Sophos--a security company--hasn't caught up with what should be BASIC to even remotely sensitive data going over the web. Besides being an inconvenience to organizations that take their security seriously, it is just plain foolish. Please implement this.
Paul Mattias commented
Please allow HTTPS updates for access from computers outside the Enterprise. In order to be compliant with our Sophos agreement regarding one home use installation client we needed to install a SUM in our DMZ. We use the client's AD account to determine if they can access the SUM. That way if a client's account it terminated, they can no longer receive updates. However, we are concerned with the transmission of the client plain text credentials over HTTP as anyone monitoring the line can capture that information. Please allow this feature soon!
I would also that it is possible to update via https.