We’re happy to engage in constructive conversations with our users about My Cloud OS 5. Responses from Western Digital’s Product Security Incident Response Team (PSIRT) come from our technical team of security engineers and incident response managers. A number of the statements made in this thread about how My Cloud OS 5 works are not accurate and we’d like to take the opportunity to clear up any confusion users may have about how HTTPS access to your device works.
Western Digital does not have the private key used for HTTPS connections to your NAS. Certificate issuance for the My Cloud OS5 device uses the ACME protocol to request a certificate from the Let’s Encrypt certificate authority. The private key used for your device is generated on your My Cloud NAS and always stays on your My Cloud NAS. The ACME protocol uses a “challenge-response” system to verify your device and issue the certificate, and this takes place using the Dynamic DNS system that Western Digital operates. In general, the process of obtaining a TLS certificate never requires that you share your private key with anyone. For more information on how the ACME protocol works, see the Let’s Encrypt web site: https://letsencrypt.org/how-it-works/
Western Digital does not have access to, intercept, or “man-in-the-middle” authentication to your My Cloud Admin dashboard. Authentication to the My Cloud NAS device takes place directly between your browser and your NAS device. The domain name that is shown when accessing your NAS resolves directly to the local IP of your NAS and does not imply that your NAS device is being accessed through Western Digital servers. We have provided information in this thread on how you can verify this for yourself.
There are multiple reasons why HTTPS is beneficial for access even when communicating to the NAS device on the local network. Web browsers are steadily evolving to warn users when communicating with devices over unsecured HTTP. Currently, Google Chrome marks all HTTP sites as “Not Secure” in the user interface and warns users when entering passwords on HTTP pages (https://blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/). This has the effect of potentially confusing users when they access their My Cloud device, even when it is being accessed locally. Browsers also treat self-signed certificates as critical security warnings. Using a valid certificate prevents both of these issues and provides users with assurance that the connection to their NAS device is as secure as possible.
Additionally, malware targeting IoT devices such as IP cameras and NAS devices continues to evolve and may soon be capable of attacking one IoT device from another compromised device on the local network. The principle of Zero Trust Security suggests that encryption should be used even on the local LAN. For more information on Zero Trust Security, see: https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html
My Cloud devices are used by a broad variety of customers in many different use cases and applications, from home users to small businesses. The security improvements in My Cloud OS 5 are designed to keep our users ahead of the evolving network security landscape. Our goal in My Cloud OS 5 was to provide additional security for our customers based on current best practices and the implementation of HTTPS security was driven by that goal.