04-04-2014, 10:15 AM
I noticed this in the changelog for Firmware V72 in regards to the SSL certificate preloaded by Yealink on new phones from the factory:
4) The security of Certificate Authority:
It is not allowed for the ordinary user or administrator to view details of the preset
certificate or TLS certificate on the phones from the factory. The certificate cannot be
deleted, copied, edited, exported, or viewed.
Why is the SSL certificate in new 'from factory' phones permanently stored in the phone with no ability for administrators to remove?
I am trying to withhold knee-jerk judgement without more information, but based on the information I've seen so far, this is the reaction you should expect:
If this is in fact the inability to remove this "secret" certificate on new phones that come from the factory with V72+ firmware, this is an absolute show stopper for any enterprise class deployment with these phones. This is a serious security liability for any network that implements these phones. Admins must be able to revoke SSL certificates that may be compromised or untrusted.
Please confirm an ability to delete and replace this certificate by sysadmins.
Thank you for your time.
4) The security of Certificate Authority:
It is not allowed for the ordinary user or administrator to view details of the preset
certificate or TLS certificate on the phones from the factory. The certificate cannot be
deleted, copied, edited, exported, or viewed.
Why is the SSL certificate in new 'from factory' phones permanently stored in the phone with no ability for administrators to remove?
I am trying to withhold knee-jerk judgement without more information, but based on the information I've seen so far, this is the reaction you should expect:
If this is in fact the inability to remove this "secret" certificate on new phones that come from the factory with V72+ firmware, this is an absolute show stopper for any enterprise class deployment with these phones. This is a serious security liability for any network that implements these phones. Admins must be able to revoke SSL certificates that may be compromised or untrusted.
Please confirm an ability to delete and replace this certificate by sysadmins.
Thank you for your time.