LISTSERV - HP3000-L Archives

HP3000-L Archives

December 1999, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 1999, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	[Fwd: HP Secure Web Console]
From:	Jeff Kell <[log in to unmask]>
Reply To:	Jeff Kell <[log in to unmask]>
Date:	Mon, 13 Dec 1999 20:52:32 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

I'm forwarding this from elsewhere in the event people on the list
have deployed the Secure Web Console on their 3000s.  It did go to
the hpux-admin list but I don't recall seeing anything on 3000-L.

Jeff Kell <[log in to unmask]>

-------- Original Message --------
Subject: HP Secure Web Console
Date: Wed, 1 Dec 1999 09:05:40 -0600
From: Jon Mitchell <[log in to unmask]>
Reply-To: Jon Mitchell <[log in to unmask]>
To: [log in to unmask]

The Secure Web Console is a device that looks (and acts) like a JetDirect
printserver.  It has one ethernet port and one serial port.  The idea
behind it is that you can connect your console cable from your HP9000
machine to this device and put it on the network.  This way you can
connect to your HP9000's via a web browser so remote access to the console
is easy.  Since this is actual console access you could potentially do
upgrades or reboots into single user mode safely from this device without
being onsite.

The problem with this device is the word Secure in the name.  This implies
that this device is providing secure access from the network.  The
information on this devices web site http://www.hp.com/go/webconsole
states that it currently uses MD5 user digest as the encryption scheme and
that future firmware will support SSL.  We have the latest firmware
installed at this time of A1.6 (A.01.06.001)

Upon first connecting we noticed that it would not support an SSL
connection as the documentation states.  Because even the first page you
access on this device is a Java applet, we assumed the best, that
encryption was somehow provided through that.  However we discovered that
it does not appear to be any sort of MD5 encryption scheme (although I'm
not an encryption expert), but in actuality what we've deemed Secret
Decoder Ring encryption.  The letters are one to one with another letter,
and even worse, in order as well.

Here's an example of two sets of letters:

You type:  abcd
Transmits: VUTS

You type:  ABCD
Transmits: vuts

Thanks to Joe Munson for helping debug this and coming up with the Secret
Decoder Ring reference (which reminded me of the Little Orphan Annie Ring,
that only says to drink more Ovaltine, in the Christmas Story).

--
Jon Mitchell
Systems Engineer, Subject Wills and Company
[log in to unmask]

ATOM RSS1 RSS2

RAVEN.UTC.EDU