Certificate authority recommendations for QNAP home NAS?

[glenintenn]

just wondered if anyone has any strong feelings about which certificate authority to use for a QNAP home NAS? With the QLocker advisory floating around, it just makes sense to force HTTPS which in turn means that i need to get a cert.

It seems rather dumb (et. al. pointless?) to just Google around and find the first free cert provider and use one of theirs. I don't need Fort Knox but I do need dead bolts on the doors.

thoughts?

[dolbyman]

https will provide exactly no protection against those attacks..so unclear why it would matter

[jaysona]

just wondered if anyone has any strong feelings about which certificate authority to use for a QNAP home NAS? With the QLocker advisory floating around, it just makes sense to force HTTPS which in turn means that i need to get a cert.

It seems rather dumb (et. al. pointless?) to just Google around and find the first free cert provider and use one of theirs. I don't need Fort Knox but I do need dead bolts on the doors.

thoughts?

Using a TLS certificate and HTTPS will secure the communication session between the web browser (your computer in this case) and the web server (NAS in this case). A TLS certificate will not protect the NAS from being attacked by malware, the malware will just try to connect to the NAS using port 443 instead of port 8080, but it will still be able to connect to the NAS.

At the end of the day, making a NAS accessible from the Internet either via port 443 or port 8080 will result in an eventually comprised NAS.

Apparently, this can not be stated often enough........

viewtopic.php?f=45&t=160849&start=45#p786872

[glenintenn]

OK. In my newb reading the QNAP bulletin https://www.qnap.com/en/how-to/faq/arti ... s-security, mentions changing ports and my simple mind was thinking one port was better than two and if I was going to have one port it would be https and have a proper certificate on it...

Probably too much ZDNet reading?

[glenintenn]

My system is not exposed on the internet. This was just thinking about minimal hardening (which I've not done). The bulletin pinned on this forum mentioned this as one bullet (it also indicates not using port 443). To the points above, it's not directly related... it's just a best practice overall.

[dolbyman]

https in your private LAN is a hassle just because you need to work with FQDN for them to be valid, NASNAME or IPadress will result in warnings

[jaysona]

OK. In my newb reading the QNAP bulletin https://www.qnap.com/en/how-to/faq/arti ... s-security, mentions changing ports and my simple mind was thinking one port was better than two and if I was going to have one port it would be https and have a proper certificate on it...

Probably too much ZDNet reading?

*ugh* That is a never ending battle and apparent losing battle. No security person (worth the salt in their hash) will ever advise the practice of Security by Obscurity, because once the obscurity is removed, there is no security. Changing port numbers just looks good optically, but in reality it provides a minor delay in having the NAS discovered on-line.

More than two years ago, just for shiggles, I decided to place one of my NASes on-line and I rotated the ports being used, I used ports such as 32982, 47651, 61478, etc and in all cases the NAS was discovered by some bot within a matter of weeks to a few months. With the proliferation of 10 and 100 gigabit VPSes available for rent by the minute, Internet address space scanning today is stupidly simple, ridiculously fast and cheap to perform.

There's no such thing as too much reading - ZDNet or otherwise, but you do need to step back, process what you have read, give it some deeper thought and consideration, instead of just taking everything at face value.

[glenintenn]

More than two years ago, just for shiggles, I decided to place one of my NASes on-line and I rotated the ports being used, I used ports such as 32982, 47651, 61478, etc and in all cases the NAS was discovered by some bot within a matter of weeks to a few months. With the proliferation of 10 and 100 gigabit VPSes available for rent by the minute, Internet address space scanning today is stupidly simple, ridiculously fast and cheap to perform.

There's no such thing as too much reading - ZDNet or otherwise, but you do need to step back, process what you have read, give it some deeper thought and consideration, instead of just taking everything at face value.

Fair point about reading but until real results like you posted are known, it's not always evident what is journalistic overreach to sell eyeballs on e-mags and what is actually true.