I’ve been trying to set up remote access for our new My Book Live Duo, and while the process has been simple enough so far, I’m very concerned about some of the security questions that have popped up.
Specifically, when clicking the share in my browser to access the drive, the Java interface loads and asks me to confirm a security certificate. I find several aspects of the certificate fishy:
[deleted for privacy concerns]
Although the IP address for remotewd.com does in fact appear to be controlled by Western Digital, #3 and #4 above make me very cautious about accepting the certificate. I certainly don’t want to fall victim to a man-in-the-middle attack or something like that.
Would appreciate some clarification on what the certificate should be before I actually accept this one.
The thing is, the IP address for remotewd.com does appear to be controlled by Western Digital (info below), and Eric Bjornson seems to be WD’s Director of Engineering. I know domain registration can be falsified, but it seems to me a hacker would be more likely to just use private registration.
The more concerning things to me are #3 and #4 in my original post. I would expect Western Digital to have a current security certificate and for it to not be valid only for “lee.” This, added to the still-somewhat-dodgy domain registration, has me concerned.
I called Western Digital tech support and the guy supposedly checked with his supervisor and said everything was fine, but I couldn’t get through to anyone who seemed likely to actually know anything about it.
It would be nice if someone else could confirm if this is happening for all users or if ti’s just me. Also, is there any way to contact someone at Western Digital (preferably in the U.S.) who might know something about this?
Sorry, guys. I had to edit Tony’s post for privacy concerns. We are looking into this to make sure that it is correct. Thanks Matthew for bringing it to our attention.
As an update we are correcting this even now. However, there is no issue with WD2go’s security. You don’t have to worry about any man in the middle attack.
Bill, thank you for your reply. I understand there may be privacy concerns, etc., with providing full details about whatever the situation is or was. But, as a customer who did in fact briefly (though warily) use wd2go at the assurances of WD’s support staff, I would appreciate at least a basic explanation of what was happening.
Specifically, was my wd2g0 account or my MyBook Live at risk, in any way, at any time, while these issues were ongoing?
Also, do you have a timeframe on when we can expect the fix to be complete?
Bill, thank you for your reply. I understand there may be privacy concerns, etc., with providing full details about whatever the situation is or was. But, as a customer who did in fact briefly (though warily) use wd2go at the assurances of WD’s support staff, I would appreciate at least a basic explanation of what was happening.
Specifically, was my wd2g0 account or my MyBook Live at risk, in any way, at any time, while these issues were ongoing?
Also, do you have a timeframe on when we can expect the fix to be complete?
Thanks again,
Matthew
Neither your WD2go account nor your My Book Live were ever at risk. I use WD2go with my My Book Live all the time, and I’m completely confident that it is secure. As for the security certificate, it just needed the information updated, and refiled. But it had no bearing on the security of the software or drive. I know they are correcting it, but I don’t know how long the updating process takes.
I’m glad to help. The only reason I acted so quickly to remove some of information in the posts above was because it was private, and to prevent unnecessary snooping. But I do want you know that we really do appreciate you bringing the issue to our attention. Thank you.
