1

https for BrightSign Players

Hi all,

Can someone direct us on how to increase security with self signed certificates to our BrightSign players. Now they are just http://ipAddress/index.html

What are the steps required either through BrightAuthor or SD card or BrighSignNetwork etc.

They are currently secured with username and password, but infosec department wants all players secured.

 

Thanks

7 comments

  • 0
    Avatar
    Lyndon

     

    You can't use a self signed cert to access the local diagnostic page on the player. If the username and password isn't enough, the only option would be to disable the diagnostic server that's at index.html. 

     

  • 0
    Avatar
    JRB Technical

    Lyndon:

    I think what they are really looking for is the diagnostic page needs to be HTTPS and not HTTP.

    Everyone is pushing for ALL network access to switch to being done over a secure protocols, and not out in the open.

    Eventually BrightSign is going to have to do this, hopefully sooner than later. Many web browsers are already working to get to the point where they will refuse to load any HTTP web pages. Get ahead of this before it becomes a problem for users. 

  • 0
    Avatar
    Allen H. Porter

     

    I am not arguing for one view or another exactly but...

    How would we update the certificate on our players in a scaleable way?  The only way I can think would be to include a renewed cert in a firmware update.  Not all of my customers like firmware updates but I can't think of another way to renew the cert on 40,000+ players.  What would be the logic of TLS encrypted traffic on internal communication?  I guess we would be admitting our network is or will be hacked and that is just the way it is.

     

    An attcker would need to be"

    1.  Inside your network.

    2.  Have an interest in controlling your signage.

    3.  Get past the locked down OS on the player to use it as a bot.

     

    What am I not thinking of?  I have received the same HTTPS questions from customers but I have never had one explain why.  I am not a security guy so there is probably something I am not thinking of...

     

     

  • 0
    Avatar
    JRB Technical

    I understand everyone's situation is different.

    There are many players that are directly on the Internet - and through the years I have stumbled across quite a few in Google searches (I wasn't looking for them, usually I would come across log file content), almost all of them without any password protection. If I stumbled across a few, then there are likely 10 of 1000's or more on the Internet.

    The answer is not easy, but unsecured IoT devices on networks getting hijacked has been a huge problem.

    Regardless, if not fixed, eventually you will need to use a custom browser, or an old outdated browser to gain access. There is time to figure it out, but please don't ignore this until the last minute.

     

  • 0
    Avatar
    Pedro Sunday

    Thanks for the responses, JRB is on point and that is exactly what my infosec department is pushing for, all devices including BrightSign must be secured.

    In our situation, the players are installed across school campus with different campuses in other geographical regions. All accessed and managed through BrightSignNetwork and BrightAuthor.

    So is the consensus that it cannot be done, or is there a hack to get it done?

     

  • 0
    Avatar
    Allen H. Porter

    Keep in mind this is for community comment.  If you don't get a good answer here you may want to open a case with BrightSign.

     

    https://brightsign.zendesk.com/hc/en-us/requests/new

     

  • 0
    Avatar
    Pedro Sunday

    Thanks Allen. I will open a case. 

Please sign in to leave a comment.