make Sophos Endpoint updates by WebCID possible over HTTPS
Please make it possible to use HTTPS for WebCID updates of the product Sophos Endpoint Protection. Now only HTTP is possible, this is undesirable because authentication details (credentials) are being sent over the internet in plain text.
This has been unresolved since at least 2009. Needs implementing, at least as an option. That way those that want it, get it. Those that don't can just ignore it.
Brian Weirich commented
How is lacking this feature even remotely acceptable to Sophos staff? In the event of having a traveling employee (and these types often need access to sensitive data) we have to create another security hole, whose credentials are easily captured, ensure that account is sufficiently restricted, manage password changes of that account, and monitor the network for intrusions from that account all because Sophos--a security company--hasn't caught up with what should be BASIC to even remotely sensitive data going over the web. Besides being an inconvenience to organizations that take their security seriously, it is just plain foolish. Please implement this.
Paul Mattias commented
Please allow HTTPS updates for access from computers outside the Enterprise. In order to be compliant with our Sophos agreement regarding one home use installation client we needed to install a SUM in our DMZ. We use the client's AD account to determine if they can access the SUM. That way if a client's account it terminated, they can no longer receive updates. However, we are concerned with the transmission of the client plain text credentials over HTTP as anyone monitoring the line can capture that information. Please allow this feature soon!
I would also that it is possible to update via https.