At the moment i am setting up my FreeNAS 11.2-U2 system, but what i do not like is the insecure default configuration of FreeNAS.
1. With local access you have direct root access. There is no login required in the console. This shouldn't be the case. The user should be asked for the root password.
2. https access and a redirection from http to https is NOT set up by default.
For today's standards only https should be the default configuration and http acces should be forbidden. If someone really requires http acces, this should be configurable in the local console.
3. In the Webgui under System->General i can't change HTTP to HTTPS. It just doesn't save the new configuration. It always jumps back to HTTP.
4. If i logged of the webgui i can login by just pressing the back button. And e-voila i am in. This shouldn't be the case. The access should be denied if i have logged out.
EDIT:
Okay, i think i now know the error of 3.
It doesn't auto-generate a self-signed Certificate, thus the configuration can't be saved without adding a certificate.
It's a good thing to add your own certificate but for the beginning and for the default configuration there should be a self-signed certificate generated during install to make it possible to use https right at the beginning without an insecure connection over http.
The user can still set up a real root CA signed certificate after that.
The fingerprint of the self-signed certificate should be displayed in the local console to make it possible to compare it, when the user is trying to connect to the https connection the first time.
1. With local access you have direct root access. There is no login required in the console. This shouldn't be the case. The user should be asked for the root password.
2. https access and a redirection from http to https is NOT set up by default.
For today's standards only https should be the default configuration and http acces should be forbidden. If someone really requires http acces, this should be configurable in the local console.
3. In the Webgui under System->General i can't change HTTP to HTTPS. It just doesn't save the new configuration. It always jumps back to HTTP.
4. If i logged of the webgui i can login by just pressing the back button. And e-voila i am in. This shouldn't be the case. The access should be denied if i have logged out.
EDIT:
Okay, i think i now know the error of 3.
It doesn't auto-generate a self-signed Certificate, thus the configuration can't be saved without adding a certificate.
It's a good thing to add your own certificate but for the beginning and for the default configuration there should be a self-signed certificate generated during install to make it possible to use https right at the beginning without an insecure connection over http.
The user can still set up a real root CA signed certificate after that.
The fingerprint of the self-signed certificate should be displayed in the local console to make it possible to compare it, when the user is trying to connect to the https connection the first time.
Last edited: