SSL Encryption

[Walkerok]

SSL encryption is quickly becoming a requirement to be ableto send emails from one place to another. With the global crack down on SPAM, Phishing, viruses, …Etc. there is aever dwindling number of email services available that do not require SSLencryption. Eventually we can reasonablyexpect that there will not be ANY non SSL encryption email services available (at least non we would want to use).

I realize that there is a real amount of work required toincorporate SSL encryption into the Unitronics hardware but there are twomajorly important reasons why it should be added.

1) The obvious Email limitation where you can notsend to huge number of the email services out there without SSL encryption. We personally have a solution to this in thatwe have our own hosted servers set up to have a dedicated email box that doesnot require SSL and then we just forward the emails to the multitude of useremails that require SSL encryption. Thissolution is not available to many of the Unitronics users and because of thisyou are asking most end customers to have a special non-SSL encryption mail boxto be able to get emails directly from the PLCs.

2) There is also a real security danger when hosinga website on the PLC in that is SSL encryption is not required the passwordsand data are sent back and forth as simple ASCII text and can be interceptedand read by anyone. While we all may bewilling to accept the point that no one is actually interested in stealing the password and datafrom a specific PLC running a specific device, there is a real security issue wherehackers can EASILY steal the information and cause havoc and possibly damage.

For those reading this who are knowledgeable in the detailsof how all of this works you are now saying to yourselves well what about thecertificates list needed for the process to occur in the case of email and whatabout the cost and updating requirements for hosting a certificate in the caseof PLC hosted a web page. The approvedlist could be included in firmware updates, but even without this you would getmany years of trouble free usage by just having a good list at the time of newPLC creation. If this is consideredunacceptable then do not require the PLC to verify the public SSL encryptionkey on sending emails and Unitronics can make a self certificate for making aninternet connection from a remote PC. Yes the security would be greatly reduced in email if no certificateverification were required, but at this point solving 80% of the problem ofbeing able to easily send email to ANYWHERE is pretty good also. On the certificate required by a web pagehost, it is very inexpensive to get a signed certificate that would be good formany years. Then it would just be amatter of importing the certificate onto the computer that wants to connect andsecurity has been dramatically improved.

Thanks for reading this and I look forward to rebuttals orcomments.

Keith

[Walkerok]

Sorry for posting this topic twice. After 27 hours I did not see the first one post I just figured that I did something wrong and decided to write it again. While the posts are not identical they are pretty much the same conversation.

Keith

[Simon]

Hi Keith, the posts looked different enough to warrant moderating them both. I think you have a certain amount of freedom to combine/edit/delete the duplicate information if you wish.

If you want anything tidies up that you don't have access to, send me an email.