Hi all,
Can someone direct us on how to increase security with self signed certificates to our BrightSign players. Now they are just http://ipAddress/index.html
What are the steps required either through BrightAuthor or SD card or BrighSignNetwork etc.
They are currently secured with username and password, but infosec department wants all players secured.
Thanks
@Daniel
It's working but not documented - please open a Support ticket for details.
_________________________________________________________________________
Friendly reminder, the community forum is intended for user-to-user discussion. It is not regularly monitored. For troubleshooting problems and to ensure a timely answer from a BrightSign representative, please submit a support ticket
You can't use a self signed cert to access the local diagnostic page on the player. If the username and password isn't enough, the only option would be to disable the diagnostic server that's at index.html.
Lyndon:
I think what they are really looking for is the diagnostic page needs to be HTTPS and not HTTP.
Everyone is pushing for ALL network access to switch to being done over a secure protocols, and not out in the open.
Eventually BrightSign is going to have to do this, hopefully sooner than later. Many web browsers are already working to get to the point where they will refuse to load any HTTP web pages. Get ahead of this before it becomes a problem for users.
I am not arguing for one view or another exactly but...
How would we update the certificate on our players in a scaleable way? The only way I can think would be to include a renewed cert in a firmware update. Not all of my customers like firmware updates but I can't think of another way to renew the cert on 40,000+ players. What would be the logic of TLS encrypted traffic on internal communication? I guess we would be admitting our network is or will be hacked and that is just the way it is.
An attcker would need to be"
1. Inside your network.
2. Have an interest in controlling your signage.
3. Get past the locked down OS on the player to use it as a bot.
What am I not thinking of? I have received the same HTTPS questions from customers but I have never had one explain why. I am not a security guy so there is probably something I am not thinking of...
I understand everyone's situation is different.
There are many players that are directly on the Internet - and through the years I have stumbled across quite a few in Google searches (I wasn't looking for them, usually I would come across log file content), almost all of them without any password protection. If I stumbled across a few, then there are likely 10 of 1000's or more on the Internet.
The answer is not easy, but unsecured IoT devices on networks getting hijacked has been a huge problem.
Regardless, if not fixed, eventually you will need to use a custom browser, or an old outdated browser to gain access. There is time to figure it out, but please don't ignore this until the last minute.
Thanks for the responses, JRB is on point and that is exactly what my infosec department is pushing for, all devices including BrightSign must be secured.
In our situation, the players are installed across school campus with different campuses in other geographical regions. All accessed and managed through BrightSignNetwork and BrightAuthor.
So is the consensus that it cannot be done, or is there a hack to get it done?
Keep in mind this is for community comment. If you don't get a good answer here you may want to open a case with BrightSign.
https://brightsign.zendesk.com/hc/en-us/requests/new
Thanks Allen. I will open a case.
Hey Pedro, did you receive an answer on this question?
@Bryan
We're working on allowing adding HTTPS to the player's local DWS but it is not quite complete yet.
To Pedro's overall point though, BrightSign players should not be directly accessible from the Internet. Players are intended to be behind a NAT layer, with a private IP, not a public one.
You should not be port-forward to the player's DWS or put the player in DMZ.
Get a secure connection into the network (VPN, IPSEC tunnel, port-forwarding through an authenticated SSH server, etc), or securely remote-control a machine on the network, then access the player through that.
HTTPS for the DWS would not make it any more secure - as it only secures the communication between the player and whatever's accessing it from browser. So it would prevent the DWS password from being sniffed, but it would not prevent the DWS from being brute-force attacked or otherwise.
As JRB Technical has noted, there are players that we stumble across that are openly accessible to the Internet and we do try to contact the owner to advise them of the danger if we can locate them by serial number.
_________________________________________________________________________
Friendly reminder, the community forum is intended for user-to-user discussion. It is not regularly monitored. For troubleshooting problems and to ensure a timely answer from a BrightSign representative, please submit a support ticket
Got it, thanks for the explanation @Brandon.
Does Brightsign have a published security statement, guide, recommendations list and/or FAQ on security considerations of the appliances and provisioning/publishing methods? i.e. digital network certificate capability and/or any of the recommendations above - or is this something you're leaning on the vendors & integrators to compile and convey? As network security becomes even more of a concern - in financial & government institutions especially - this type of document would be helpful to pass along to to the potential-client IT that is considering this solution for their organization. Thanks for your help & feedback.
@Bryan
Please contact BrightSign Sales as they have better knowledge of market/industry-specific considerations. They will be able to get the right people in the loop.
United States 1-408-852-9263
Global: +44 122 329 8500
_________________________________________________________________________
Friendly reminder, the community forum is intended for user-to-user discussion. It is not regularly monitored. For troubleshooting problems and to ensure a timely answer from a BrightSign representative, please submit a support ticket
We're working on allowing adding HTTPS to the player's local DWS but it is not quite complete yet.
@Brandon
Is there any update to this?
Can't find what you're looking for?
Contact support