Document

Download Report

Transcript Document 

Cryptographic Key Security
Update
January 2014
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
• Security Update Overview
• Compatibility Period
• Recording URL and Unlisted Program URL Reports
• Expired Links and Notifications
• Support Resources and FAQ
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
• Cisco is making changes to improve the management of cryptographic
keys used to generate URLs used in WebEx Meeting Center, Training
Center, Support Center and Event Center services. This enhancement
will modify the way encryption keys are used to generate URLs that link
to WebEx recordings and that are used to reset passwords. This update
will impact the functionality of existing URLs.
• The new security settings go into effect for every affected customer on
January 29, 2014
• Note: This security update will be applied to Sales Center in February
(date TBD)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
• This security update will change the format of some URL’s
Link Type
Meeting
Center
Event
Center
Training
Center
Support
Center
WebEx Recording Links
Password Reset Links
Calendar (.ics) Links
Unlisted Program Links
WebACD Support URL’s
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
What is it?
The compatibility period is a 30 day period of time between the deployment date and activation
date of this security update. During this 30 day timeframe, customers will not experience any
direct impact of the new security settings because the original settings are also in effect.
What are the effective dates?
29 January - 27 February. Compatibility period ends as of 28 February. The effective dates and
duration of the compatibility period is the same for all customers.
What is the purpose?
To allow time for customers to update WebEx recording and other URLs that may be shared or
embedded in other locations. Updating URLs prior to expiration will ensure a smooth transition
and minimize disruption.
What happens if URLs are not updated by 28 February?
URLs in the old format will be expired on 28 February. Visitors will be taken to a Webex.com page
to facilitate requesting an updated recording link.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
• Accessible only to Hosts
• Login to your WebEx site > My WebEx >
My Reports > View Old and Updated
Links
NOTE: If you do not see these reports under My
WebEx > My Reports, please go to My WebEx
Support > View Old and Updated Links
• Click appropriate link and report will
automatically download
• .csv format
• All recordings ever created by the Host
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
• Hosts can download list of new links
• My WebEx > My Reports
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
• URLs in Reset Password emails sent before
January 29, 2014 will be invalidated.
• A Host who attempts to access an expired
Reset Password URL will be redirected to a
page to reinitiate password reset.
• Host authenticates with their email address
(associated to their Host ID)
• A new reset PW link is sent to that email
• All reset PW links expire within 72 hours of
being sent
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
• For Invitations created before 29 January 2014, users will be redirected to the Meeting/Session information
page
• Select View Meeting/Session details, enter password and click Add to My Calendar to download the .ics file
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• Links to recordings created before 29
January 2014 will be expired on 28 February
2014
• When an expired link is clicked, the expired
link page appears and the new link can be
requested
• An email is sent to the recording owner
(Host)
• Requestor will not receive an email
confirming their request
• Host can email the updated link to the
requestor and/or update the link location.
• Expired link page will not appear when link
“This recording link has expired. Request a new link.”
Requestor enters Name and email. Enters a message (optional).
Clicks “Request new link”. Email is sent to Host.
has been updated successfully
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Includes Referring URL to allow Host to update
original link location with the new link.
No Referring URL
Host ID:
Host ID:
Requestor Name ([email protected]) is requesting the link to
your program Name of Program.
Requestor Name ([email protected]) is requesting the link to
your program Name of Program.
This is an optional message from the requestor:
This is an optional message from the requestor
Due to a security enhancement, the previous program link
has expired. This link appears in the
website http://mail.qa.webex.com/showmail.asp?filename=20
Due to a security enhancement, the previous program link has
expired.
To share your program, send the new link below to Requestor
Name at [email protected]
Updated program link:
http://sz1web.qa.webex.com/szspt29l/onstage/g.php?PRID=e
d8d37c48c406df1869331f51eaff48b
To share your program, send the new link below to Requestor
Name at [email protected]
Updated program link:
http://sz1web.qa.webex.com/szspt29l/onstage/g.php?PRID=ed8d
37c48c406df1869331f51eaff48b
http://www.webex.com
http://www.webex.com
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Support Center Impacts:
• WebEx recording URLs
• WebACD live support links
• WebACD Agent’s Personal Queue URL
On-Screen Customer Message
Customers and Site Admins (Queue creators) are
notified of expired live support links. Site Admin
receives a link to obtain a new link, along with the
appropriate queue name.
Site Admin Email
Your customer received the error message “This support link
has expired.”
WebACD Agent Email Text
Due to a security enhancement, the previous support link has
expired. To help customers use functional live support go here
to login and get a new link from the queue %QueueName%.
You may also want to update the site with the new link.
http://www.webex.com
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
• Review the FAQ and support documents
Cryptographic Key Update for WebEx FAQ
https://support.webex.com/webex/meetings/en_US/key-modificationupdate-faq.htm
• Encourage customer to update their NBR links to
minimize disruptions
Compatibility period ends 28 February 2014
Updated NBR and Unlisted Program Links Reports are available to
Hosts at My WebEx > My Reports > View Old and Updated Links
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
•
Does this change require a client download?
The security updates covered in this presentation do not require a client download or a Productivity Tools client download.
•
Are customers required to update all URLs?
There is no specific requirement to update everything however; all links that have not been updated will expire on 28 February, 2014.
To prevent any disruption for Hosts and visitors to those links, it is important to update them before expiration.
•
How does this change make recording URLs more secure?
URLs will be created using UUID format. This will help improve meeting security and strengthen the security of recorded files. UUID
URLs are generated with random numbers that are independent of identifiers that were used previously, like Site ID or MeetingID.
UUID stands for Universally Unique Identifier.
•
How far back do URLs need to be updated?
Encourage customers to update the most recent, popular or widely-distributed recording links first. Links that were created more than
30 days ago are less likely to require an urgent update. Links that were never shared (emailed, posted to a website, etc.) don’t require
an update, but the new link should be used in the event the link is shared at a future date.
•
What if my customer can’t complete all URL updates within 30 days?
Links will become invalid (expire) at the end of the 30 day grace period. Visitors to those links will see an “expired link” screen and can
request an updated link from the Host. Hosts should update the link location with the new link to prevent additional requests from being
triggered.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
•
Are meeting invitation URLs affected?
Join Meeting URLs will be generated using the UUID format as of January 29th but existing URLs will continue to work and customers are
not required to update meeting invitations.
•
Can I update recording URLs for my customer?
The report of old/new recording URLs can only be accessed by the Host who created the recordings.
•
Can we run a URL report and provide it to customers?
At this time, there is no internal process for accessing the URL report on behalf of a Host/customer.
•
When will recorded files be created using the new UUID format?
The new format for generating URLs goes into effect on January 29, 2014
•
My customer doesn’t use WebEx recording services. Does this affect them?
Customers who do not use WebEx recording services will not be impacted by the changes to WebEx recording links. However; there are
additional impacts to .ics files, forgot password links, etc. that could impact them. Review the communication and FAQ carefully to ensure
your customers are aware of all changes.
•
Will Expired Link pages remain active indefinitely?
Yes. Expired link pages will continue to be displayed for any expired links that have not been updated.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
•
Are there any statistics about how often WebEx recordings are accessed?
Shared recordings are viewed the most within the first 2 weeks of being posted. Access to recorded files drops off significantly
after 2 weeks and dwindles to nearly zero by the 30 day mark. We recommend updating the newest recordings first.
•
Should information about this security update be shared with all users (Hosts)?
Yes. Hosts using services that are affected by this updated need to be advised of all impacts. Please note: Sales Center
customers will receive a separate communication when this update is applied to their services.
•
Does this change affect Connect, Jabber?
At this time there is no impact to the clients for Connect and Jabber.
•
Are Meeting URLs which were scheduled from a mobile device also impacted by this enhancement?
No. There is no impact to Meeting URLs scheduled from a mobile device.
• Does this update affect WebEx Meetings (WX11)?
No. WebEx Meetings URLs currently use the UUID format.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Thank you