HTTPS client certificate authentication
Posted: Sun Oct 27, 2013 6:45 pm
Hiyall,
I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.
The risk could be mitigated if you supported SSL/TLS "Client certificate authentication". Note, there is an option to import a certificate already but most users cant create their own certificates. Autogenerating a cert is not that difficult.
This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.
This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.
I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.
The risk could be mitigated if you supported SSL/TLS "Client certificate authentication". Note, there is an option to import a certificate already but most users cant create their own certificates. Autogenerating a cert is not that difficult.
This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.
This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.