http vs https for 2 factor auth emails

Options
USG110
USG110 Posts: 3
First Anniversary First Comment

Hello,

I would like to ask if there is any practical difference between using http versus https for the VPN 2 factor authentication via email. I understand using https is more secure.

When using it ( https) we get a certificate error/warning which i assume means we need a cerfificate from a CA for it, but i was wondering if using plain http is an issue in this scenario and what the risks would be with that.

Thank you,

Spyros

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @USG110

    Thanks for sharing the screenshot with us. The error message of "ERR_CERT_AUTHORITY_INVALID" is due to the browser doesn't trust the firewall's certificate, it's the browser's known behavior you can refer to this discussion USG60 - SSL VPN connect but "this connection is untrusted". For a safer browsing experience, we suggest that you consider using the https link as it is more secure than http. If the user encounters a warning message, they can click on "Advanced" and continue to browse the 2FA link, as shown below.

    Thanks.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @USG110

    "When using it ( https) we get a certificate error/warning which i assume means we need a cerfificate from a CA for it" Based on the above description, can you share the screenshot with us? Thanks.

  • USG110
    USG110 Posts: 3
    First Anniversary First Comment
    Options

    Hello,

    Thank you for the reply.

    Please see the screenshot of accessing the address via https.

    There wasn't any need so far for a certificate, but for users when using https the extra steps to go to "advanced" and then open the site is more invonvinient that using plain http and getting to the site without more steps.

    That is why i am wondering if it's ok to keep using http for the 2 factor auth email links.

    Thank you again for taking a look at this.

    Spyros

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @USG110

    Thanks for sharing the screenshot with us. The error message of "ERR_CERT_AUTHORITY_INVALID" is due to the browser doesn't trust the firewall's certificate, it's the browser's known behavior you can refer to this discussion USG60 - SSL VPN connect but "this connection is untrusted". For a safer browsing experience, we suggest that you consider using the https link as it is more secure than http. If the user encounters a warning message, they can click on "Advanced" and continue to browse the 2FA link, as shown below.

    Thanks.

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    @zyxel_jeff zyxel could still apply compatibility for Let'sencrypt…

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mMontana

    Currently, we do not support this feature. Thanks.

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    You should. You really should.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mMontana

    Thanks for your suggestion. We already transferred this requirement to our new feature queue for further evaluation.

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I don't think that's unpolite to believe that, due tu current status of some "openness feature" requested several years ago from your customers, the evaluation will be with the result "nope!".

    But hey, i'd love to prove myself wrong when the support of that feature will appear. Sorry, my bad. if, not when.

Security Highlight