@george1421 @Wayne-Workman Thanks for your thoughts on this! Definitely helpful to get some more inspiration on this topic.
I guess we need to distinguish between different communications when talking about SSL. As George mentioned there are two (or actually three) different things communicating, one fog-client to FOG server, the other one IT admin web browser to FOG web UI and as third communicator there is iPXE to load the boot menu. The fog-client is using it’s own encryption protocol (HTTP within an encrypted tunnel based on certificates similar to HTTPS but not exactly like it!) since years and switching that to the official HTTPS standard is doable but not planned at the moment. The encryption used is state of the art and as strong as HTTS (SSL/TLS) is.
We transfer login password, AD credentials (when configuring those) and other things like that on the web UI communication and I definitely see that securing this should be easy to accomplish for users who want/need it. But we still default to plain HTTP partly because we provide pre-compiled iPXE binaries that cannot include a SSL CA trust certificate as every FOG server in the world generates it’s own CA on the first install. So delivering pre-compiled iPXE binaries is not possible. I have added a script (utils/FOGiPXE/buildipxe.sh
) some time ago that is called to compile a full set of HTTPS enabled iPXE binaries embedding the “personal” FOG server CA into them. This works in most cases but it’s quite a heavy challenge if something goes wrong and we need to guide people through debugging this.
Perhaps it could be made easier to setup SSL, rather than forcing it? Perhaps make it optional, and defaulting to ‘no’.
Ok, that would be just renaming the option from force-ssl to use-ssl and ask for it as an installer question I reckon. Could do.
One of the things we are seeing with modern web browsers is that they are not liking self signed certificates. So every site you go to that has a self signed certificate you get the warning and have to click through a few screens to get to the site that employs a self signed certificate.
True, but let’s encrypt is not an option here as Wayne already explained. Maybe we should make it easier (provide a tool) to import the CA certificate into the browser store to get rid of the self signed messages. Not sure if that might cause other issues for users?!
Beyond SSL there are a few things that FOG developers could do it improve FOG’s security stance (i.e. mysql, secure password, firewall, etc).
Definitely a good point!!! Should fix that before we get into encrypting everything.