logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
shawnkhall  
#1 Posted : Thursday, April 26, 2018 9:01:43 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
ConnectWise -- the same company that assures us that they need access to the source code for our custom extensions for our own safety and that they'll review our submissions "quickly" -- has still not replaced the certificate for this very forum after more than a week.

I contacted ConnectWise through their support system and a very active member of the Control forum staff directly through the forum to report this issue 8 days ago, the day after Chrome 66 was released. The forum is still using a disavowed Symantec certificate.

Forum still insecure after a week

Big deal/what's the risk? This forum is the epitome of a "watering hole." Members of this forum are known to use specific software that grants remote access to potentially thousands of devices per compromised user, making them high value targets. The "proceed anyway" option to ignore the certificate issue encourages forum members to access risky content through the ConnectWise site (such as malicious embedded images that might respond with evil headers), which could potentially infect ConnectWise Control forum users (and thus their users' users) with malware.

Why not just visit the forum without SSL/TLS? That's a joke. Every website should be using HTTPS these days. There's no valid reason not to use SSL/TLS today.

ConnectWise: Please replace this certificate as soon as possible.
shawnkhall  
#2 Posted : Monday, April 30, 2018 5:07:35 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
ConnectWise implemented a "fix" for this - to force connections not to use HTTPS. The fix strips away the context during the redirect, resulting in any direct HTTPS link being shoved to the root of the forum. This means that all the email messages sent from the forum lose their context by the time the link goes through. Password reset messages? Forget about it. Message notifications? Homepage only. Every deep link ever made to HTTPS content in the forum is lost.

Moreover, it still means that every login to this forum isn't secured.

Seriously - is this really the best we can expect from an organization we rely on for 'secure' connectivity to our client computers?
shawnkhall  
#3 Posted : Monday, April 30, 2018 5:17:27 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
Here's an example link to this very post that is using ConnectWise's patented "strip away everything relevant, including security" redirect:
https://controlforum.con...-security.aspx#post39868

Is there a specific reason why you don't want to just drop the $30 on a replacement certificate, or even just have it rekeyed (free!)?
shawnkhall  
#4 Posted : Wednesday, May 2, 2018 3:12:02 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
HTTPS is now working again, and the redirects have been removed.

Thank you for fixing this!
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.