The GoTo Community is currently experiencing some technical issues affecting new posts and comments. We are actively working with our service provider and apologize for the frustration.
Forum Discussion
Solved
Clients create Self-signed CA Certificate
Is there a way to stop clients from creating a self-signed CA certificate. Problem is that they are not publically trusted so we are inundated with security vulnerabilties.
The self signed certificate in LogMeIn is used in these cases:
- host credentials are encrypted by the host's public key and saved on the clients or in the browser for:
- autologin
- One2Many tasks (Central)
Since encrypted with the hosts public key (prior saving it) only the host can decrypt them with its own private key.
- for end-to-end encryption between the native client (Remote Control, File Manager) and the host. The client receives the host's cert in a secure channel, so it can trust it even it is self signed.
The port 2002 is used only locally in LogMeIn. The host service accepts connection from the system tray icon applet and provides some information about the state of the service
wbocash Hi there,
Could you elaborate on what kind of issues the self-signed CA is causing your clients? What scans and URLs come up vulnerable exactly?
We use Tenable Nessus for vulnerability scanning, but I'd assume any scanner would detect a self-signed CA certificate as a vulnerability. Here are more details on the vulnerability:
The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities. This nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Thanks!
- Following... Nessus is giving us fits with this
