QNAP NAS Community Forum

[bugyou2]

What is a certificate for? Can I use Qnap https without certificate?

[schumaku]

What is a certificate for?

Far to much to explaian in a few words - start here: http://en.wikipedia.org/wiki/Secure_Soc ... escription

Can I use Qnap https without certificate?

Without? No. With the default certificate (and private key): Yes ... however pleae understand the private key is well known and distributed with all QNAP NAS firmware. So in therory - anybody able to capture the SSL/TLS data stream from a client to the NAS, would be able to decode it.

[bugyou2]

What is a certificate for?

Far to much to explaian in a few words - start here: http://en.wikipedia.org/wiki/Secure_Soc ... escription

Can I use Qnap https without certificate?

Without? No. With the default certificate (and private key): Yes ... however pleae understand the private key is well known and distributed with all QNAP NAS firmware. So in therory - anybody able to capture the SSL/TLS data stream from a client to the NAS, would be able to decode it.

Thank you! But how come I get this from firefox and then when I click on I understand the risks -> add exception -> confirm security exception I can get thru my Qnap. Does it really work this way with the default certificate you were talking about?

[schumaku]

Does it really work this way with the default certificate you were talking about?

Yes. Once you have a fixed hostname (rep. a fully qualified one), I sugest you are start to look-out for a free or commecrial security cetificate.

[tmt]

Actually, the cause of this isn't the hostname, it's the chain of trust. Because of the way the default NAS certificate is self-signed, it doesn't have a CA (certifying authority). And because there's no CA, there is no way for the browser to trust it.

It is possible to create a self-signed cert that does have a CA, and then such a CA cert could be stored by the browser and it wouldn't squawk. But that's a bit of a challenge to set up, so unless you want to turn off this warning altogether, I agree the safest and best approach is to obtain a proper cert.

[bugyou2]

Thanks for the replies. But is it still ok to access Qnap https without a certificate?

[tmt]

Sure, as long as you're aware that the encryption you obtain from the default QNAP certificate is not completely private. However, it would still take a rather sophisticated attacker to exploit this.

Depending on how concerned you are about this, and how technical you may be, there's a QNAP wiki page describing how to generate your own certificate. It's still self-signed, and therefore not universally trusted by browsers, but it does generate a new non-shared private key of your chosen length. The wiki is here: http://wiki.qnap.com/wiki/Use_OpenSSL_t ... connection