3 Replies Latest reply on Jun 30, 2010 3:44 PM by Mach6

    HTTPS Communication

    Rookie

      Will disabling https binding and forcing http break any of the communication between the core server and the local agents?  The encryption method currently being used for https is old and is being flagged as a vulnerability in some of our scanning and our network engineer is looking at mult ways to resolve this.

        • 1. Re: HTTPS Communication
          Employee

          Yes, it will break a lot.

           

          If I understand the situation your engineers are recommending that a security method that is flagged as being vulnerable (which at this point is still a theoretical vulnerability) should be replaced with a solution that simply has no security.  Am I understanding correctly?  ("The front door wouldn't stand up to a tank anyway, so let's just leave the door open when we go on vacation.")

          • 2. Re: HTTPS Communication
            Rookie

            The preferred method would to be switch the https encryption method from MD5 to SHA1 or SHA2 (specifically needed on ports 9593 and 9594).  Do you know if this is possible and how I would go about doing this?

             

            In regards to the original question I think I framed it incorrectly.  Our network engineer was trying to determine what communication was taking place via https for LANDesk and based on that was going to make a decision whether or not it needed to be encrypted.  I agree that we don't want an unecrypted method for sensitive data.  I am trying to further develop my knowledge of how LANDesk works at the network level and did not have a good answer hence the original post (I was thinking that was how the agents communitcated with the Core Server, but was not sure).

            • 3. Re: HTTPS Communication
              Employee

              I see, that makes a lot more sense.  Sometimes I've seen network guys get so caught up in making sure all their test checkboxes come out OK that they don't really think about what they are doing.  I wanted to make sure that wasn't the case here.

               

              Right now there isn't a way to go from MD5 to SHA-1.  This is something that our developers are aware is an issue that needs to be resolved, but at this point I don't have any information about timeline, steps involved, etc.  I wish I had a magic bullet for you right now, but at this point MD5 is the only option.