logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
MrEastwood  
#1 Posted : Wednesday, June 1, 2016 5:31:54 AM(UTC)
MrEastwood


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/23/2015(UTC)
Posts: 113
United States
Location: Los Angeles

Thanks: 11 times
Was thanked: 9 time(s) in 8 post(s)
Came across this web security page, entered my (non-https) SC page out of curiosity, and promptly got an "F" grade:

https://www.htbridge.com/websec/

I've avoided using a cert thus far because of how it seems to be a royal pain to get it working.
Can the devs comment on the results of http: vs https:, and whether the security issues the site brings up are a concern?

thanks

powellap  
#2 Posted : Wednesday, June 1, 2016 12:42:11 PM(UTC)
powellap


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/16/2014(UTC)
Posts: 99
United States

Thanks: 3 times
Was thanked: 8 time(s) in 7 post(s)
I'm not sure I would run that test now that I see it leaves the results for ANYONE to view afterwards.

Anyway, after a little digging I found what they use to determine the scores...
https://www.htbridge.com/websec/#about

Scott  
#3 Posted : Friday, June 3, 2016 1:18:08 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
While these kind of tests can be useful, I never really put much faith into their results. My personal HTTPS ScreenConnect server also gets a F for the same reasons. Also, if you put in https://www.google.com, you'll see they also give Google a failing grade.

While there are other benefits to HTTPS, a SSL certificate really adds two main things:

1. Verifying the server is who it claims to be through the certificate trust chain
2. Encrypting all HTTP traffic exchanged with the server

Without HTTPS, when you log into your ScreenConnect Host/Administration pages, those credentials are sent in cleartext (as a note, all session relay traffic is encrypted by default). If someone asks me how best they can harden their ScreenConnect server, I will recommend enabling 2 factor authentication for all users and adding a SSL certificate for the web server. If you're interested, you can find information on how to enable 2FA on our KB, here.

There are a few Certificate Issuing organizations that will give you a SSL certificate that's publicly trusted for free, such as StartSSL. While I won't disagree that it can be a pain to setup, we're more than happy to lend a hand with the process.
ScreenConnect Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.