Community


Password protect relay server / connections

Matthew Hardman, User (Posts: 4)
Jul 05, 2018 11:16:51 am EDT
Support level: Free or trial
Hi All,

So we are going to be using remote utilities for a POS based project we are about to launch, however we have noticed that if a user manages to get the IP address for the remote utilities relay server and they know the port, the can directly just connect straight through. Is there anyway to prevent this or put a password on the relay server for when a user wants to connect otherwise this could surely be a security breach?
Conrad, Support (Posts: 3034)
Jul 05, 2018 3:48:43 pm EDT
Hi Matthew,

Thank you for your message.

This functionality is going to be added in version 6.9.0.1 Beta 2 (the current beta is beta 1) .
Marty, User (Posts: 7)
Jul 09, 2018 2:21:07 am EDT
Support level: Free or trial
I read this thread with interest but I don't quite understand the particulars of the problem.  I'm putting together some in-house training for a team and would like to know what might change in the next beta.

if a user manages to get the IP address for the remote utilities relay server and they know the port, the can directly just connect straight through.

I'm not sure what this means, what are the steps to reproduce this issue?  As far as I can work out it's not possible to connect to any hosts without a host password or a relay logon.  I'd like to understand so I can incorporate any procedure changes in my training.  

Thanks!
Conrad, Support (Posts: 3034)
Jul 09, 2018 9:42:01 am EDT
Hello Marty,

As far as I can work out it's not possible to connect to any hosts without a host password or a relay logon.

The problem that Matthew mentioned is not about authorization or security. It's just that the server can be used as an intermediary by someone who just knows its address and port. That poses no threat to security but it's still a nuisance.

That said, in the upcoming version 6.9.0.1 beta 2 we will implement certain mechanism to protect the server from such use. Again, it's not about any "security breach" or anything like that, it's just that it is possible to "piggyback" on someone else's server should you know its address and port used.  

Thanks.

* Website time zone: America/New_York (UTC -5)