Nope. Automatic port forwarding is a feature within myQNAPcloud.com - it can be disabled, and the ports/services can be selected and controlled.pakoistinen wrote:I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.
"mitigation" means using a longer key essentially. Implementing certificated based auth properly Not that easy doing it properly. This requires a careful designed, and manageable authentication layer -pakoistinen wrote:The risk could be mitigated if you supported SSL/TLS "Client certificate authentication".
Transport layer SSL certificates - pretty much unrelated to cert auth. And limited to the primary access only, not covering virtual hosts et all.pakoistinen wrote:Note, there is an option to import a certificate already but most users cant create their own certificates.
Yes, but pretty much not manageable beyond of very few users.pakoistinen wrote:Autogenerating a cert is not that difficult.
How would you do the mapping to local users, Active Directory users, LDAP users?pakoistinen wrote:This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.
Not limited to UPnP port forwarding of course. And yes, of course - having a tiny PKI on the NAS (to deal with certificates for other deployments like more NAS), to issue SSL certs, to issue authentication certs, ... would make a great add-on for security.pakoistinen wrote:This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.
Sorry, this is nonsense - the absence of a click and pray certificate management for authentication - what is part of a typical huge project with large corporate customers for making it properly, manageable, expandable, .... - does not make the https server nonworking.larsahlstrom wrote:Is there a solution on this obvious nonworking https-server?
In todays world of references, such a note is useless. Always provide references, links.larsahlstrom wrote:Because there is no safety...according to some QNAP documents.
Yes - within limitations (hostname not match, never trusted, and definitively no "green" bar in the browser.larsahlstrom wrote:But I wonder... even if I do not have a certificate, does the SSL work?
Hm, kind of - but not really ... all default certificates share the same private key, so technically it's possible to decrypt your SSL stream.larsahlstrom wrote:And is this communication then encrypted approximately as the banks or paypals are?
See above. Define "easily".larsahlstrom wrote:No way to easily put a tap on the TCP flow and see whats goin on?
Users browsing this forum: excaliburdk and 6 guests