Ethernet Gateway (Link150/ EGX150) HTTPS?

Darren_Pearce · ‎2019-11-13

Hi All,

I had a coversation during a site visit yesterday, where the customer was telling me the Link150/EGX150 was due a firmware update, to enable the web interface to be HTTPS.

Can anyone confirm if this is a current task in the roadmap for the current hardware.

Or

If a new hardware version of the Link150/EGX150 would have to be launched to enable the protocol?

We have many of these devices on sites and often have the question raised if all the hardware supports HTTPS.

Regards

Darren

Anonymous user · ‎2020-05-21

When HTTPS is enabled, EGX150 will stop communicating over HTTP and port 80 will not be used.

See Answer In Context

Anonymous user · ‎2020-01-08

Hi the community members can you help this member on this topic please?

@Romain_Polette do you think you can advise on this topic?

@Darren_Pearce , in the meantime, please check the Knowledge base, maybe you can find useful information.

But if you still in the same situation please do not hesitate to inform us here.

Have a nice day.

Randi_Dolan · ‎2020-01-08

Hi

The Link 150/EGX150 team does not monitor this board. The best way to obtain this information would be to go through the Customer Care Center and have them contact the product team.

Regards,

Randi

Romain_Polette · ‎2020-01-08

Hello @FirdousKhan ,

Dedicated thread here : https://community.se.com/t5/Gateways-and-Energy-Servers/Link-150-New-Firmware-Release-Available-v-5-...

Darren is closely following the topic.

Thanks.

Romain POLETTE
Solution Architect - France Operations

Darren_Pearce · ‎2020-01-09

Hi,

I new firmware was released for the Link150 which includes HTTPS however the function of disabling the HTTP access does not exist, leaving a vulnarability.

Regards

Darren

Randi_Dolan · ‎2020-01-09

From the Link150 Team:

An official firmware had been released on 3rd week of December 2019 which has default enabled by HTTPS
For existing customer then can upgrade the firmware and it is available in se.com with FW 005.001.015

Regards,

Randi

Darren_Pearce · ‎2020-01-13

Randi,

Yes the new firmware was released for the Link150 which includes HTTPS however the function of disabling the HTTP access does not exist, leaving a vulnarability.

Does the Link150 Team have a response to that?

Regards

Darren

Anonymous user · ‎2020-04-02

Hi Darren,

I am Asif, product prime in Global Technical Support for Gateways and Com'X. Here is the answer to your question:

When HTTPS mode is activated, all data transacted over HTTP protocol is redirected to HTTPS automatically. In this state, all packets are forwarded to HTTPS port instead of HTTP port.

Regards,

Asif

Darren_Pearce · ‎2020-04-17

Hi Asif,

Thank you for your response and the details you have provided, one question to your information, if the data request is forwarded from the HTTP to the HTTPS port for the request, how is the response correctly returned if it is providing an encripted resonse to a none encripted request?

Is it possible to shutdown port 80 rather than forward this on?

As you may be the most appropriate person for this product, can i also ask a question that has bugged me for quite a time with the Link150/EGX150, the device has a RTC i assume, with the menu option to adjust it, why is this not either intergrated to the PME time broadcast to self set, or include NTP settings perhaps?

Regards

Darren

Anonymous user · ‎2020-04-23

Hi Darren,

Thanks for your questions.

If HTTPS is enabled in EGX150, the certificate must be trusted at the customer end. If the customer lacks a certificate from a trusted authority or use HTTP instead of HTTPS, the HTTPS connection must not be enabled inside the EGX150. Cause, this kind of non-ideal communication (EGX150 having HTTPS and the customer using HTTP), leaves Man-in-the-middle type vulnerability in the system.

To answer the second part of your question, EGX150 implements neither RTC nor SNTP currently (reference: page 43 of the attached EGX150 User Guide).

One has to set the date and time manually from EGX150's web page as mentioned on the same page.

Regards,
Asif

Darren_Pearce · ‎2020-04-24

Hi Asif,

Thanks for your response, however your reply raises more concerns than my initial thoughts.

The site this query is based on does have security certificates for the domain, the site has gone through rigorous PEN testing for security too.

While i understand that if we enabled HTTPS access, we would use HTTPS in the browser to connect to the device ourselves, for any setting changes, it does sound by still leaving HTTP enabled and forwarding on the request internally to HTTPS, if a malicious party did carryout actions to create a man-in-the-middle attack, the gateway would be vulnarable to this action?

I also did believe the clock would have been maintained under power outages by an onboard backup supply, as i see little point in an ability to set the time and date if this is not maintained at all internally, an SNTP ability would resolve this issue.

Regards

Darren

Anonymous user · ‎2020-05-07

Hi @Darren_Pearce

Apology for the late reply.

Can you kindly explain a little more the following section from your last response:

While i understand that if we enabled HTTPS access, we would use HTTPS in the browser to connect to the device ourselves, for any setting changes, it does sound by still leaving HTTP enabled and forwarding on the request internally to HTTPS, if a malicious party did carryout actions to create a man-in-the-middle attack, the gateway would be vulnarable to this action?

On SNTP and RTC, I agree with you. Unfortunately, as of now, the EGX150 has neither of the time-keeping technology implemented.

Regards,

Asif

Darren_Pearce · ‎2020-05-13

Hi Asif,

From your original post;

'If the customer lacks a certificate from a trusted authority or use HTTP instead of HTTPS, the HTTPS connection must not be enabled inside the EGX150. Cause, this kind of non-ideal communication (EGX150 having HTTPS and the customer using HTTP), leaves Man-in-the-middle type vulnerability in the system.'

I have highlighted a selection of 'what if occurances'.

My customer when we set the system up wants to secure the system as much as possible, the EGX150 has the ability to use HTTPS, so i enable that function. But i can't disable HTTP.

It appears that because i can't disable HTTP there is a Man-in-the-middle type vulnerability?

If i could disable HTTP (Port 80) in the configuration, so the EGX150 does not forward a request internally, would that stop the vulnerability?

Regards

Darren

AndersDahlskog · ‎2020-05-18

Hi we get reports that with it is no longer possible to double click on the icon in Network explorer to open webbpage with the latest firmware. Instead you have to right click and then proporties to to click on the webbpage link there. Have observed the same with PM8000.

Has this anything to do with the above question/answer ?

BR/Anders

Anonymous user · ‎2020-05-21

When HTTPS is enabled, EGX150 will stop communicating over HTTP and port 80 will not be used.