Hi, This isn't really a problem a vendor can solve in firmware (apart from offering configuration via cloud, which has its own issues). Even if they would enable TLS/SSL by default, it would just give one a false sense of security, since: - the certificates would be invalid (public CAs don't give out certs for IP addresses), - they would be easy to clone (due to being self-signed and/or being easy to extract from a similar device), - and most users would have no idea how to verify it anyway (they would just click through warnings). So effectively it can still be MITMed.
This is one of the problems that has to be solved on the user side, i.e. initialize (first boot) the device in a safe environment and upload a proper certificate (this requires an internal CA), and disable HTTP. And then train the staff to always configure these from a browser that trusts the internal CA. Cheers, -- Gynvael Coldwind _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
