Felenasoft

Thanks for adding the TLS secure connection feature! I do however have a few concerns:

1. By default all Xeoma installations use the same private key. While this does encrypt the connection anyone can can preform a MitM attack using that private key/cert. Would it be possible to randomly generate this private/public key by default?

2. Upon changing the certificate on the server (and restarting the service) clients connected to the server are disconnected (as expected) and are automatically re-connected without checking the certificate. Only upon close/re-open of the client is the certificate checked.

3. Currently any certificate must be manually added to clients (even signed certificates). Would it be possible to auto-accept signed certificates, and for self signed certificates prompt the user (once) about the SSL (like web browsers do)?

4. Please add information to the Xeoma Manual about TLS. Specifically, how to add the public certificate to clients which do not have a full install (including all supported OS's)

Thanks!

Hello!

dgrindle Wrote:1. By default all Xeoma installations use the same private key. While this does encrypt the connection anyone can can preform a MitM attack using that private key/cert. Would it be possible to randomly generate this private/public key by default?

Could you please clarify: should the key be generated during every installation? If so, then should the clients receive the key only manually?

dgrindle Wrote:2. Upon changing the certificate on the server (and restarting the service) clients connected to the server are disconnected (as expected) and are automatically re-connected without checking the certificate. Only upon close/re-open of the client is the certificate checked.

We were unable to repeat that, unfortunately. Could you give us a bit more details? Do the server and clients have the same version of Xeoma? What OS are you using on the server and clients? Was Xeoma installed on all of them? Could you describe step-by-step how you changed the certificate?

dgrindle Wrote:3. Currently any certificate must be manually added to clients (even signed certificates). Would it be possible to auto-accept signed certificates, and for self signed certificates prompt the user (once) about the SSL (like web browsers do)?

If possible, could you send us an e-mail (our contacts: http://felenasoft.com/xeoma/en/contacts/) with a detailed description of your suggestion? It will help us greatly to properly implement this.

dgrindle Wrote:4. Please add information to the Xeoma Manual about TLS.

We are working on that right now, thank you for your patience.

Could you please clarify: should the key be generated during every installation? If so, then should the clients receive the key only manually?

Yes, a unique key/cert should be generated during every new installation (upgrades should not overwrite the existing key/cert). Yes, clients should only receive the key manually. Ideally clients would automatically accept certificates which are signed by a certificate authority (and match the name of the requested server). Clients connecting to a server with a self signed certificate ideally would be prompted to accept the certificate in which case the cert would be added to it's local store (so that upon the next connect to that server no user prompt is required). This is a standard among web browsers/servers, and should work the same here.

We were unable to repeat that, unfortunately. Could you give us a bit more details? Do the server and clients have the same version of Xeoma? What OS are you using on the server and clients? Was Xeoma installed on all of them? Could you describe step-by-step how you changed the certificate?

I am no longer able to replicate this. I assume this was an error on my part. Please ignore this one

If possible, could you send us an e-mail (our contacts: http://felenasoft.com/xeoma/en/contacts/) with a detailed description of your suggestion? It will help us greatly to properly implement this.

I will email your support directly. Thanks!

We are working on that right now, thank you for your patience.

Thanks!

dgrindle Wrote:Yes, clients should only receive the key manually.

While manual use of keys is very secure, it poses certain inconveniences for those who aim to offer video surveillance as service for their clients. Pop-up windows with warnings about certificates tend to confuse users who are unaware of this system and cause unnecessary doubts. Xeoma was built to be handled by any user, thus, we strive to avoid complications at all costs.

I completely understand wanting to make Xeoma easy to use. My idea was something like this - Using the default certificate would cause no warning for the user (it would only provide limited security since everyone knows the private key). However, any other certificate, should be checked and properly validated (only warn if expired, domain mismatch, self signed, ect). This will allow for the best of both worlds, being simple for users, while providing true security by not allowing automatic connections to non-trusted certificates. Without properly implementing this, the connection could be subject to a MitM attack.

Unfortunately, it is quite common for users to rely on self-signed certificates, as it is a cost-efficient way of handling this layer of security. As a result, a warning message will be a very common occurrence as well. If the only way to get rid of the messages is to use a proper CA, many service providers would feel pressed into additional costs.