Brand Logo
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
close
  • Community Home
  • Forums
    • By Topic
    • By Topic
      EcoStruxure Building
      • Field Devices Forum
      • SmartConnector Forum
      EcoStruxure Power & Grid
      • Gateways and Energy Servers
      • Metering & Power Quality
      APC UPS, Critical Power, Cooling and Racks
      • APC UPS Data Center & Enterprise Solutions Forum
      • APC UPS for Home and Office Forum
      EcoStruxure IT
      • EcoStruxure IT forum
      Remote Operations
      • EcoStruxure Geo SCADA Expert Forum
      • Remote Operations Forum
      Industrial Automation
      • Alliance System Integrators Forum
      • AVEVA Plant SCADA Forum
      • CPG Expert Forum DACH
      • EcoStruxure Automation Expert / IEC 61499 Forum
      • Fabrika ve Makina Otomasyonu Çözümleri
      • Harmony Control Customization Forum
      • Industrial Edge Computing Forum
      • Industry Automation and Control Forum
      • Korea Industrial Automation Forum
      • Machine Automation Forum
      • Modicon PAC Forum
      • PLC Club Indonesia
      Schneider Electric Wiser
      • Schneider Electric Wiser Forum
      Power Distribution IEC
      • Eldistribution & Fastighetsautomation
      • Elektrik Tasarım Dağıtım ve Uygulama Çözümleri
      • Paneelbouw & Energie Distributie
      • Power Distribution and Digital
      • Solutions for Motor Management
      • Specifiers Club ZA Forum
      • Електропроектанти България
      Power Distribution NEMA
      • Power Monitoring and Energy Automation NAM
      Power Distribution Software
      • EcoStruxure Power Design Forum
      • LayoutFAST User Group Forum
      Light and Room Control
      • SpaceLogic C-Bus Forum
      Solutions for your Business
      • Solutions for your Business Forum
      Support
      • Ask the Community
  • Knowledge Center
    • Building Automation Knowledge Base
    • Geo SCADA Knowledge Base
    • Industrial Automation How-to videos
    • Digital E-books
    • Success Stories Corner
  • Events & Webinars
    • All Events
    • Innovation Talks
    • Innovation Summit
    • Let's Exchange Series
    • Partner Success
    • Process Automation Talks
    • Technology Partners
  • Ideas
    • EcoStruxure Building
      • EcoStruxure Building Advisor Ideas
      Remote Operations
      • EcoStruxure Geo SCADA Expert Ideas
      • Remote Operations Devices Ideas
      Industrial Automation
      • Modicon Ideas & new features
  • Blogs
    • By Topic
    • By Topic
      EcoStruxure Power & Grid
      • Backstage Access Resources
      Remote Operations
      • Remote Operations Blog
      Industrial Automation
      • Industrie du Futur France
      • Industry 4.0 Blog
      Power Distribution NEMA
      • NEMA Power Foundations Blog
      Light and Room Control
      • KNX Blog
      Knowledge Center
      • Digital E-books
      • Geo SCADA Knowledge Base
      • Industrial Automation How-to videos
      • Success Stories Corner

NMC2 firmware enhancement request for HTTP->HTTPS redirect

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Communities
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • NMC2 firmware enhancement request for HTTP->HTTPS redirect
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5022
voidstar_apc
Janeway voidstar_apc
195
Erasmus_apc
Sisko Erasmus_apc
111
TheNotoriousKMP_apc
Sisko TheNotoriousKMP_apc
108
View All
Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
Terry_Kennedy_apc
Commander Terry_Kennedy_apc
Commander

Posted: ‎2021-07-08 12:48 AM

0 Likes
3
868
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 12:48 AM

NMC2 firmware enhancement request for HTTP->HTTPS redirect

This was originally posted on APC forums on 6/29/2015


On all of the older hw02 products, if HTTP is not enabled (and HTTPS is), browsing to the device's HTTP page returns:

Protected Object. 
This object on the APC Management Web Server is protected and requires a secure socket connection.
Click here to use a secure connection.

On the NMC2 (hw05) products, browsing to the devices HTTP page returns:

Protected Object
This object on the  APC Management Web Server is protected.

In a future firmware release, could that page be changed to include a link to the device's HTTPS page as is done on the older cards? If so, it will be important to either replicate the hw02 functionality (the redirect URL contains card's IP address) or to always go to the FQDN form of the hostname as configured on the card. Otherwise (assuming the card has an SSL certificate issued to device.example.com), browsing to http://device (without the FQDN) will redirect to https://device and generate a "The security certificate presented by this website was issued for a different website's address." or similar error, since the certificate is issued for the FQDN and the user's browser is using the short-form name. I suspect that is why the hw02 implementation always redirects to the IP address.

Note that this is a cross-platform issue (UPS, PDU, ATS, etc. - anything that uses the NMC2 hardware).

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
Reply
Share
  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
voidstar_apc
Janeway voidstar_apc
Janeway

Posted: ‎2021-07-08 12:49 AM

0 Likes
0
867
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 12:49 AM

This was originally posted on APC forums on 6/30/2015


If I had to guess, I think the concern is that redirecting from HTTP to HTTPS would only offer protection from passive attackers. Active ones can sit in between and keep the connection at HTTP. Not doing the redirect doesn't directly protect against this: attackers could still intercept the HTTP connection and proxy it to HTTPS, however if HTTP ordinarily doesn't work, hopefully nobody would be making an HTTP connection in the first place.

That said, a friendlier option is to use a permanent redirect so the browser autocompletes with the https:// version.

See Answer In Context

Reply
Share
Replies 3
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 12:48 AM

0 Likes
0
867
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 12:48 AM

This reply was originally posted by Angela on APC forums on 6/30/2015


Hi Terry,

They had removed this for security reasons. When NMC2 came out, we had a lot of questions on it but the reason is that with the link there on the HTTP page, it gives the user the direct link and configured port number to get to the HTTPS page and that is why we felt it was a security issue and not a good idea to put a hyperlink on the HTTP page since it could get a malicious user that much going closer to gaining access. I can ask about it again but I don't think the opinion has changed unless you can give me any ideas why it wouldn't be a security issue. 

Reply
Share
Terry_Kennedy_apc
Commander Terry_Kennedy_apc
Commander

Posted: ‎2021-07-08 12:49 AM

0 Likes
0
867
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 12:49 AM

This was originally posted on APC forums on 6/30/2015


I'm not sure I follow this - if bad guys are able to access http://device.example.com (even to get the page they see now), they can just try https://device.example.com, assuming the device is configured to use the default port. And it is probably a bad idea to have these devices accessible from the whole Internet, anyway.

How about this, which would actually improve that sort of security: Instead of having checkboxes for HTTP, make it 3-choice radio buttons, with the following options: a) no response (don't listen to the port and don't serve any pages), b) simple error page (the current behavior), or c) Error page with redirect to HTTPS. There probably isn't any reason to have an error or redirect page if the user tries HTTPS and it is disabled, since the user would have previously needed to enable HTTPS and install a certificate, which would be rather silly just to tell people to use HTTP.

The existing canned response on the HTTP port discloses that the device is an APC / Schneider management card, and the major version can be inferred by whether the user sees the blue or green page. That is enough that if an exploit against the firmware is disclosed, it is trivially easy to scan the whole IPv4 address space and find APC devices.

And, by the way, the NMC2 web server will serve content out of its images directory to logged-out HTTP users when HTTP is disabled. For example, http://device.example.com/images/good.gif, which is not used in the error page. The NMC2 does protect its other pages from logged-out users. However, it might be possible to infer more information than the fact that it is an APC card and the major version (which the default error page easily reveals) by seeing if a particular image exists in that directory.

 

Reply
Share
voidstar_apc
Janeway voidstar_apc
Janeway

Posted: ‎2021-07-08 12:49 AM

0 Likes
0
868
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 12:49 AM

This was originally posted on APC forums on 6/30/2015


If I had to guess, I think the concern is that redirecting from HTTP to HTTPS would only offer protection from passive attackers. Active ones can sit in between and keep the connection at HTTP. Not doing the redirect doesn't directly protect against this: attackers could still intercept the HTTP connection and proxy it to HTTPS, however if HTTP ordinarily doesn't work, hopefully nobody would be making an HTTP connection in the first place.

That said, a friendlier option is to use a permanent redirect so the browser autocompletes with the https:// version.

Reply
Share
Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

Additional options
You do not have permission to remove this product association.
 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this forum after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account?Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2023 Schneider Electric, Inc