Disable HTTPS redirect

@WesternDigital-PSIRT;

Thank you very much for this detailed explanation.
Explanations like this really do go a long way in building confidence and trust from your user base. There have not been nearly enough of this since the release of OS/5.

However. . . .regarding the HTTPS Security certificate. . … I am not a fan of this feature.
In my view, the best way to avoid suffering from a man-in-the-middle attack is to not put a man-in-the-middle for authentication on intranet communication.

If I recall OS/5 correctly, you already block access to the Admin Web interface from the internet. Is that not enough? Do I need HTTPS for intranet communication?

These are not Enterprise level NAS units. If someone is accessing my network. . . that means they have likely

  • compromised the router; in which case I doubt the HTTPS connections to the NAS are secure OR
  • are physically in my house; in which case they can just walk up to the NAS and do a 4 second reset. or just unplug the unit and take it home with them.

I agree an option for us to create our own local certificate; or to disable the HTTPS access would be valuable.

1 Like

We’re happy to engage in constructive conversations with our users about My Cloud OS 5. Responses from Western Digital’s Product Security Incident Response Team (PSIRT) come from our technical team of security engineers and incident response managers. A number of the statements made in this thread about how My Cloud OS 5 works are not accurate and we’d like to take the opportunity to clear up any confusion users may have about how HTTPS access to your device works.

Western Digital does not have the private key used for HTTPS connections to your NAS. Certificate issuance for the My Cloud OS5 device uses the ACME protocol to request a certificate from the Let’s Encrypt certificate authority. The private key used for your device is generated on your My Cloud NAS and always stays on your My Cloud NAS. The ACME protocol uses a “challenge-response” system to verify your device and issue the certificate, and this takes place using the Dynamic DNS system that Western Digital operates. In general, the process of obtaining a TLS certificate never requires that you share your private key with anyone. For more information on how the ACME protocol works, see the Let’s Encrypt web site: https://letsencrypt.org/how-it-works/

Western Digital does not have access to, intercept, or “man-in-the-middle” authentication to your My Cloud Admin dashboard. Authentication to the My Cloud NAS device takes place directly between your browser and your NAS device. The domain name that is shown when accessing your NAS resolves directly to the local IP of your NAS and does not imply that your NAS device is being accessed through Western Digital servers. We have provided information in this thread on how you can verify this for yourself.

There are multiple reasons why HTTPS is beneficial for access even when communicating to the NAS device on the local network. Web browsers are steadily evolving to warn users when communicating with devices over unsecured HTTP. Currently, Google Chrome marks all HTTP sites as “Not Secure” in the user interface and warns users when entering passwords on HTTP pages (https://blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/). This has the effect of potentially confusing users when they access their My Cloud device, even when it is being accessed locally. Browsers also treat self-signed certificates as critical security warnings. Using a valid certificate prevents both of these issues and provides users with assurance that the connection to their NAS device is as secure as possible.

Additionally, malware targeting IoT devices such as IP cameras and NAS devices continues to evolve and may soon be capable of attacking one IoT device from another compromised device on the local network. The principle of Zero Trust Security suggests that encryption should be used even on the local LAN. For more information on Zero Trust Security, see: https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

My Cloud devices are used by a broad variety of customers in many different use cases and applications, from home users to small businesses. The security improvements in My Cloud OS 5 are designed to keep our users ahead of the evolving network security landscape. Our goal in My Cloud OS 5 was to provide additional security for our customers based on current best practices and the implementation of HTTPS security was driven by that goal.

1 Like

First thanks for a very well thought out response. It is a very good answer corporations certainly like to hear…

BUT…

Any software regardless of IT Security measures and guidelines can and almost surely does have unknown flaws so why would I want that exposure if I can avoid it without any loss of functionality? TLSv1.0 would be my first example of a “now” broken security standard. Any old encryption algorithm like DES, WEP 64 which there are very many. SMBv1 would be another and there are many many more. Could ACME be another ?

Regardless of the security aspect I still would like the option for local access to dashboard.

So what happens when my internet provider is DOWN ? I would like to be able to access my NAS from my computers even if my internet connection is down. This is very important as if/when our internet connection is down we would still like to administer access on my NAS. And yes I could setup a home DNS / bind Linux server and deal with creating trusted certificate nonsense but why should I go through that hassle if I could just have local dashboard access as an option.

1 Like

Thanks for explaining. Now turn back on direct access without this feature. Provide us a way to disable it. We now know what it is, how it works, why you did it, and we don’t want it.

What is the timeline for a firmware release that will remove, disable, or give us the option to circumvent this feature? Please be specific.

2 Likes

They said in another thread previously that it will revert to direct non-https connect, proving that the functionality still exists to do so and they just won’t let us use it that way by default… even though that’s what we want!

Hi,

Whatever your explanations and reasons are, since this implementation my surveillance cameras don’t have access to my disks anymore. There are, from the camera stand point, no ways to bypass your new HTTPS thing.
I need from WD the option to disable this very soon.
Moreover since this upgrade the remote backup doesn’t work either.

Thanks to tell us when this bug will be fixed.

1 Like

I suppose that we all fall into a user - customer group. And a quite peaky one. I agree. On the other hand members of this user - customer group are the most probable to suggest or not specific products to friends, family or business. It will be good to have them happy.

We do not argue against the solution you provide. We state that we would like the freedom of options! Let us decide what we want, redirect or not. It should not be such a huge hack to turn redirection off. Or just provide the details and I am sure that a lot of people in this group will go on and do it themselves.

Personally I am happy that after so many years an upgrade came to mycloud. It seems that these changes can bring a new era to our devices and the solutions that we can build on top of them.

I do not feel though that a strategy of denying any suggestions or requests from the most demanding part of your customer base is one that will safeguard your middle to long term strategy.

The optimal solution in any problem is the one that allows you the most options into future situations.I I hope you can see what we are asking for. The simple ability to deactivate redirecting. (Personally I would really love the option to tweek the Fan speed on a PR4100 in order to keep my HDD cool, but this is a different discussion)

thanks in advance

fu man tsu

2 Likes

Again; a very good answer from @westerndigital-psirt. This does clear up a number of issues in my mind.

So I clearly had it wrong in regards to “man-in-the-middle” in terms of authentication. However. . . you still have a third party doing the DNS resolution. Now - - -I am clearly not sophisticated to suss out the implications of that step.

@thetick: I definitely share your security concerns. My understanding (and I think I have tested this at one point) is that if the NAS is blocked from the internet. . the system will default to a HTTP connection within your network?

So I started having questions when other users began to report frequent communication between the NAS and “somewhere”; and that this contact was happening even if cloud access was turned off.

Question: Is the reported internet activity merely the NAS signally it’s a ip address to make this redirect work? How often does that occur?

Followup Question 1 Imagine a user that does not care about WD Web/phone apps and cloud access is disabled. Is there any on other internet communication to/from the unit?

Followup Question 2 If a user does not care about WD Web/phone apps; and the user uses an external firewall to block internet access to the NAS. . . .what other functionality/capability will the user lose on the NAS (i.e. what other surprises are there)

Thanks for your help on these matters

1 Like

The admin page redirect isn’t done server side via 302, it’s done client side in Javascript. So we’re relying on the client correctly parsing the javascript for an insecure page, then redirecting to a secure page.

Admirable, but you expose the “secure” URL to any un-authenticated user at: http://<insert_your_nas_ip_here>/nas/v1/locale.

It would be pretty easy to javascript scan a network for that endpoint, exposing the secure hostname, and now an attacker can go generate a valid keypair; using the same secure service you’ve exposed to all customers. This is pretty much a textbook example of security through obscurity?

All we’re asking is, please, let us have the option to disable it.

I guess one possible way of blocking this (in Chrome anyway), would be to disable image loading for the NAS admin page:

img.onload = function(){
top.location.href = redirect_url;
};

Just tested this, and yup. Blocks the redirect. Phew, a workaround!

4 Likes

I too found a way to block this using uBlock Origin, huzzah!

You must have advanced mode turned on in the extension settings and then when you navigate to YourIP for your NAS you configure the settings like this:

Once this is set, using direct links like MyIP/apps/transmission/web/transmission.html works without having to go through the admin panel and navigating to the app configure first too! Great success!

1 Like

Did some playing today . . . .

. … turns out merely BLOCKING the OS/5 machine from WAN access was insufficient to stop the redirect function.

. . .turns out I also had to change the STATIC IP of the device as well. (I suppose this makes sense; the “redirect” from 3rd party DDNS servers was still pointing to a valid address)

Edit: in changing IP address of the device, I suppose I momentarily unblocked the device to the internet. . . . .in under two minutes, there were 17 web access entries in the log. Things like time update, and a few related to Plex.

Edit: Hmmm. . . the static IP change worked for about an hour. Now the redirect “works” again. I want to know how to stop all internet communication from this device. . .short of unplugging it (which is my next step)

@WesternDigital-PSIRT,
Thank you for the post. Much appreciated. I have a couple of requests:

  1. Could you please provide some guidance on how to re-enroll for the certificate. In my case, I believe the certificate enrollment happened automatically when I upgraded to OS 5. Since then, I have moved the device behind another router and factory reset it. However, it has not “auto-enrolled” for the certificate again.
  2. Any chance WD is looking in to allowing admins to use their own certificates (for e.g., from an Enterprise CA)? If not, could this be considered in a future firmware update?

Thank you

@StrongWing419 Sounds like you may have network related issues, IE: name resolution, routing or port filtering or blocking.

  • Do you get “not internet connection” when you click the Apps tab?
  • Can you install 3rd party apps?
  • Do you get “no internet connection” on the Network screen under the Settings tab?
  • Do you get an error if your try to enable Cloud Access on the Cloud tab?

The following article will help.

@SBrown,

Thanks for the reply. Yes, it has internet connectivity and I can enable/disable cloud access without any issues. I can also access it from the cloud. I think this answers all of the questions you listed, but I am answering each question below for any additional clarity:

  • I do not get “no internet connection” in the Apps tab, instead I see apps listed.

  • I do not have a use case for any of the 3rd party apps at this time but I am confident that I can install them if needed.

  • Settings --> network --> status = “Internet access”

  • I can enable/disable Cloud Access without any issues.

Do you know the process for getting it re-enrolled for a new certificate? It doesn’t seem to be documented in the places that I have looked so far. If you find any resources, please share. Thanks again.

@StrongWing419 chances are the NAS actually has a cert from LetsEncrypt. You can check by https://NAS_IP:8543

If yes, chances are the computer running the web browser cannot resolve the Common Name listed at the top so the HTTPS redirect fails

IE nslookup device-local-xxxxx-xxx-xxx-xxxx-xxxxxxxxxx.remotewd.com

1 Like

@SBrown @WDStaff and whoever else is supporting this unsupported monstrosity, do disable this functionality and let the user either enroll himself to let’s encrypt or provide self-signed certificates. There is no reason for WD to know the private ip of these boxes, revealing in the process part of my network topology.

Coupled with the inability to connect from another segment (we used our boxes in DMZ to be connected from LAN just fine in the previous OS), this is creating a user hell. If you were going to do it your way, you should have made sure that they work just fine in all possible scenarios (ie interfaces behind WPAD proxy, one on DMZ/one on LAN, etc) and not just having the boxes in a house lan doing active failover!

I have a multitude of issues, some of them critical on one of our 4 EX4100 boxes on which I have received no actual support/solution or pat on the shoulder (see the EX forum), even after opening a support ticket. Part of these problems stem from exactly this extremely bad implementation of this secure access idea.

Seriously now, get rid of this junk altogether, or for heaven’s sake provide an option to disable this thing altogether.

I took the plunge to OS5 now and not months ago, considering that it would be past its infantness. I was dead wrong!

@SBrown
First, I apologize for the delay. I received your first reply via email but never received your second reply, so I assumed that there was no follow up. Just discovered your answer today when I logged on to wd community.

Second, a BIG THANK YOU!!! you got me back on the right track. I was able to discover the common name using your instructions. Once I got that, it was just a matter of fixing name resolution for it. Again, Thank you! I appreciate your assistance.

The link you provided explicitly states about localhost and publicly distributed private key.
Seems like both statements are not true in this case:

  • Assuming WD’s explanation in this topic is true: certificate is requested right from the device and never leaves it
  • Certificate is used for the device’s internal IP address, not localhost/127.0.0.1

Am I missing something? Can you outline attack vector?

Dear PM for PR4100 and @WesternDigital-PSIRT
TLS being accepted by the browser has a thousand methods. Not having an option in how I handle TLS is less than ideal. I manage my own CA and sign all of my devices with it, so now I cannot trust your device because it does whatever it wants to protect my end to end encryption on my LAN.

Most users won’t care about this “feature”, however I do. I even created this account so I could write this single post. Considering this device has access to critical data and it shares any information about my network with a third party it’s going to the shredder. What a blunder.

Hello.

So - - - I heard a rumor that the lastest version of firmware allows us to make our systems more secure by disabling the HTTPS redirect “feature”.

Does anyone have any observations about this lastest improvement in the firmware?

I am a bit reluctant to update the firmware of my OS/5 machine. . . or even power it up at the moment. (I am waiting to understand the implications of EdgeRover to become apparent before I go to a more permanent solution (i.e. Update OS/5; Reload OS/3; Replace w/ other NAS)