Tls

Best Practices for Securing TR-069

For our article on the alleged TR-069 vulnerability during the Mirai bot scare, go here. As one of the most largely deployed broadband management protocols in the world, TR-069 has quite a footprint, and a compromised system could potentially affect many broadband subscribers adversely. Luckily, TR-069 is built to operate on secure transport protocols. While there is nothing inherently insecure to the protocol itself, improper implementation of TR-069 clients and servers may expose problems that can be exploited by malicious attackers, as is the case with any web service. Read more...

Common testing issues with TR-069 and SSL

Here are solutions to a few common TR-069 SSL-related issues. The CPE does not have a time source Some CPE devices will not validate a SSL/TLS certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. Read more...

How do I convert from a Java keystore certificate to .pem format?

To convert a Java keystore certificate to .pem format, follow these steps: Download and run the KeyTool IUI. Export the private key and certificate chains file from the keystore to a .pem file. This can be done by selecting Export > Keystore’s Entry > Private Key from the KeyTool IUI. Choose a target private key file and a target certificate chains file, and select .pem as the export format for both. Read more...