AIR SSL Enforcement
In previous releases of Binalyze AIR, the communication between the agents and console has been over HTTP by default.
In order to improve the overall security posture of AIR, from version 2.5 accessing AIR over HTTPS becomes mandatory.
For this reason, it is required that all existing users obtain an SSL certificate issued by a valid public Certificate Authority before updating their instances.
As a fallback to ensure system continuity, you can also use the unique self-signed certificate issued automatically by AIR, either temporarily or as a permanent solution.
IMPORTANT NOTE: Port 443 should be allowed inbound on your AIR console instance before upgrading to version 2.5.
RELEASE DATE: Version 2.5 will be officially released on May 16th, 2022 for our existing customers. If you want to download and install it before the official release date, you can follow the instructions here.
- Version 2.5 creates a unique Root CA (self-signed) and shares the public key of this with the endpoint agents upon their first connection to the AIR console.
- Then an SSL certificate is issued by this Root CA for agent-console communication.
- This SSL certificate is only used by the endpoint agents and is not available to other applications on your assets for security reasons.
Self-signed certificates are provided for business continuity purposes and we strongly suggest using an SSL certificate that is issued by a trusted Root CA. Until you obtain a valid certificate, you can follow the workarounds for major browsers listed below:
During the update, AIR will still create a unique Root CA for your instance and share the public key with the agents. If you already use AIR with a valid SSL certificate, a new SSL certificate will not be issued, and your current certificate will continue to be used.
In this case, the old certificate will be saved locally on the AIR console for backup purposes and AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.
AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.
AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.