Hello,
I have a WAPT server that is currently being installed on client machines. I would like to know:
- If someone were to create a second WAPT server, could they intercept the packets (server data, etc.)?
- Is there a way to secure a WAPT packet (in the Python code)?
Thank you in advance for your answers, keep up the good work.
Sincerely
[RESOLVED] Security
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello Smarty,
However, even with a self-signed certificate, an attacker cannot install a malicious package because the packages themselves are signed. Finally, there is good documentation to read (see below); if you have a very specific question, please read it and point out where it needs clarification.
https://www.wapt.fr/fr/doc/PrincipesSec ... ciple.html
For your information, version 1.5.0.13 has obtained CSPN certification from ANSSI [1]. While this cannot guarantee that there are no security bugs, it still means that people have looked into it and thoroughly examined it.
Sincerely,
Denis
[1] https://www.ssi.gouv.fr/entreprise/cert ... -1-5-0-13/
The data streams are HTTPS by default. If you have configured a valid SSL certificate, the connection is as secure as your HTTPS connection to any HTTPS site (and it can be pinned). If you have a self-signed HTTPS certificate, you can have a man-in-the-middle attack, just like with any HTTPS connection. If you have a fake (unpinned) certificate, the communications can therefore be viewed.
However, even with a self-signed certificate, an attacker cannot install a malicious package because the packages themselves are signed. Finally, there is good documentation to read (see below); if you have a very specific question, please read it and point out where it needs clarification.
There is an extensive description of WAPT's security principles in the documentation:
https://www.wapt.fr/fr/doc/PrincipesSec ... ciple.html
For your information, version 1.5.0.13 has obtained CSPN certification from ANSSI [1]. While this cannot guarantee that there are no security bugs, it still means that people have looked into it and thoroughly examined it.
Sincerely,
Denis
[1] https://www.ssi.gouv.fr/entreprise/cert ... -1-5-0-13/
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
It's very thorough.-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
To be precise, the contents of a WAPT packet are not sensitive.
Anyone can read the contents of a WAPT packet.
If you wish to protect the contents of a WAPT packet, you can do so by encrypting the sensitive data with the public certificate of each machine.
Example:
https://wapt.lesfourmisduweb.org/detail ... 4_all.wapt
Anyone can read the contents of a WAPT packet.
If you wish to protect the contents of a WAPT packet, you can do so by encrypting the sensitive data with the public certificate of each machine.
Example:
https://wapt.lesfourmisduweb.org/detail ... 4_all.wapt
