5 Replies Latest reply on Oct 31, 2017 10:18 AM by Scott Olswold

    HTTPS ONLY supported after 1/1/18?

    Bill Kasper Guide
    Bill Kasper Oct 30, 2017 1:13 PM

      Hi, all.  I have just been informed that HTTPS will the only method of browser form submission starting on 1/1/2018.  Across all browsers, per agreement (apparently).

       

      So if you haven't got your devices set up with HTTPS certificates you won't be able to manage them anymore, because you won't be able to submit the login form for your administrative (or any other) login.

       

      I am sure I am the last person to hear about this, and that everyone else is running SSL/TLS on all their devices for all logins...but just in case, heads up.

       

      Best,

      Bill Kasper

        • Re: HTTPS ONLY supported after 1/1/18?
          Paul LaFollette Guide
          Paul LaFollette Oct 30, 2017 2:34 PM (in response to Bill Kasper)

          Bill Kasper, I'm thinking you're not the last to know.  This is the first I had heard that.  Is there a document, news article, something that you can share showing this info?

           

          All the devices in my organization we set to use https.  We let the printers use their own internally generated certificates (which the browsers always caution about), but that is sufficient for our needs.  Much simpler than going through the pain of frequently obtaining and updating certificates for over 600 printers (which is the alternative).

           

          Thanks,

          - Paul L.

          • Re: HTTPS ONLY supported after 1/1/18?
            Scott Olswold Guide
            Scott Olswold Oct 30, 2017 4:00 PM (in response to Bill Kasper)

            Bill,

             

            I'm not too sure that this is completely accurate. Back in May, Google began making plans to blacklist sites that were asking for data (credit cards, for example) over HTTP, and that their Chrome browser, version 62 (which is out now) would begin to caution users when an HTTP form was loaded. But...you can only push a client-side operation so far. And that's the only thing that I've seen.

             

            I suspect, as is most always the case, the others (Microsoft, Mozilla, Apple, and Opera) will begrudgingly follow suit and the next revision of their browser will do the same thing. But you can't force a website owner (particularly a firmware-enabled website, as is present on almost any printer) or older browser to eschew an HTTP form in favor of one with HTTPS unless there's an implementation of middleware that is getting in the middle of all of that traffic. And that would mean that nothing is safe (and would be a bad, bad day for 100% of the world's population). Another caution: HTTPS and SSL don't necessarily mean secure, it just means that there's an agreed-upon cipher between the client and the server; a person or organization could legitimately hijack Symantec's CA and private key and then all of those Symantec-credentialed websites are basically as useful at protecting your "in flight" data as an HTTP connection would be.

             

            I could also be very wrong on the January 2018 thing. And if I am, you'll find me in the corner wearing my aluminum foil hat, reading George Orwell's 1984.