[clamav-users] Freshclam can't use HTTPS with PrivateMirror?
G.W. Haywood
clamav at jubileegroup.co.uk
Wed Oct 17 21:21:18 UTC 2018
Hi there,
On Wed, 17 Oct 2018, Sean wrote:
> We have created a private mirror of clam data updates on a network
> that is not Internet connected. We are required to encrypt network
> traffic, e.g. the mirror server must redirect http -> https.
This all seems a little strange. Perhaps you can explain.
> ... freshclam ... port is hard coded to 80.
>
> Is there a reason for this? Should I file a bug? I would think that
> utilizing https as much as possible would be a good idea.
There's nothing remotely private about a *public* database of malware
signatures, so (especially on a network that is not connected to the
Internet!) it makes very little sense to encrypt freshclam's traffic.
You might as well encrypt Sky News. It would just mean a lot of extra
work/code/issues/cycles for no purpose, diverting scarce resources from
where they're actually needed. Don't do it.
Will your accountants want you to encrypt NTP traffic too? Oh - your
network isn't connected to the Internet anyway, so it won't know what
time it is, and so it can't decide when to do, well, anything, and the
timestamps in the logs will just be guesses, so forensics is right off
the menu and if you use Kerberos then it probably won't be long before
nobody will be able to log in, and...
Tell them it's a lot better to let you apply your intelligence to this
stuff than to get you running around in circles doing so many things
that make no sense that you have no time to implement real security.
--
73,
Ged.
More information about the clamav-users
mailing list