Change update server to the HTTPS version

Status
Not open for further replies.

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
iX Systems puts security first. That's why they don't use HTTPS by default for the updates or the web client. Oh and the whole root for everything helps too.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Nothing in FreeNAS should be handled by manually editing config files, but I'd agree this shouldn't be the case. I'd suggest filing a bug on this.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Oh and the whole root for everything helps too.
Don't think this is justified--the "everything" that you need to use root for is system administration, which, well, would require root privileges anyway. If you're talking about the CLI, nothing prevents you from logging in as any other user you choose.
 

Garyw

Dabbler
Joined
Sep 4, 2011
Messages
45
iX Systems puts security first. That's why they don't use HTTPS by default for the updates or the web client. Oh and the whole root for everything helps too.

For the GUI I can easily generate a cert and deploy it. It would be nice to have Lets encrypt built in but that's not a must have.

Nothing in FreeNAS should be handled by manually editing config files, but I'd agree this shouldn't be the case. I'd suggest filing a bug on this.

Understood but I cannot trust any updates because they are being pulled over HTTP........
 
D

dlavigne

Guest
Notes that the updates are signed and the updater will generate an error if the there is a signature mismatch.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
For the GUI I can easily generate a cert and deploy it.

I think @kdragon75's point was iX not incorporating https by default in their own infrastructure, not that they don't activate it by default in the GUI.

I cannot trust any updates because they are being pulled over HTTP

What you trust is up to you. If they fix it in a new release, you could always download the ISO via HTTPS and do the upgrade that way.
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
Don't think this is justified--the "everything" that you need to use root for is system administration, which, well, would require root privileges anyway. If you're talking about the CLI, nothing prevents you from logging in as any other user you choose.
It would make sense to run the middleware as root but have a service account interact with the middleware.

How offten to you login to a *nix box as root? You should be using a non privileged user then running the needed commands with su. That way only the commands that need root are run as root and not anything and everything coming from the user logged in as root via HTTP as default.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
How offten to you login to a *nix box as root?
Actually, pretty frequently. I log in as root to do admin stuff (yes, horror of horrors, I actually log in as root, rather than as someone else and su to root), and as a non-privileged user to do non-admin stuff.

Pretty much everything that happens in the GUI would need root privileges if done at the CLI. So why is it a bad thing to have to log into the GUI as root?
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
Cross site scripting to name one.
 

kernalzero

Dabbler
Joined
Apr 26, 2018
Messages
16
For the GUI I can easily generate a cert and deploy it. It would be nice to have Lets encrypt built in but that's not a must have.
I would like to see this too. It would at least make things simpler.
 
Status
Not open for further replies.
Top