Announcement

Collapse
No announcement yet.

Why is my connection to my Home Troller Zee S2 NOT SECURE???

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Why is my connection to my Home Troller Zee S2 NOT SECURE???

    I bought a Home Troller Zee S2 almost four years ago and I've NEVER deployed it, in part because I got busy elswhere but ALSO because I could never understand how this device could ever be considered SECURE in that I don't want bad guys to be allowed to connect to my system. I've just now gotten back to trying it out again (pretty much from scratch as I haven't touched it or had it hooked up in over a year) and when I hook it up to ethernet and to power, I get the green light after a short time. Then I go and run,

    http://find.homeseer.com

    and if finds my system. When I connect through Google Chrome, it connects as a "NOT SECURE" connection.

    My oh my, even these forums are on a secure, https, connection, as even is the page you go to on HomeSeer to buy products, https://homeseer.com/

    But NOT the connection it offers me when it finds my Home Troller Zee S2????

    I appreciate that not even https connections are considered to be all that secure anymore but they have to be a bit better than a wide open connection.

    I've NEVER even tried to download and deploy the HomeSeer APP because unless and until I can learn how to connect securely to a web browser, I am simply never going to use the hardware so that next step isn't to even be considered until I learn about what it takes to make the basic connection of the Home Troller to a web browser at least as secure as an https connection.

    Can someone help??? I spend a long time researching who had the best hardware/software back in 2016 and finally decided to make a choice and try HomeSeer. And in the going on four years since I've never gotten very far. As I said, I've been busy elsewhere so I haven't had much time to invest in this system but I return to it now and then, hook it up again (wipe of dust too) and come back here to see if someone can help me understand how to set up the Home Troller Zee S2 in a way that can allow me to run this hardware/software with some sense that I am doing so securely.

    Any help would be greatly appreciated...

    thanks... diitto

    #2
    When you power your HomeSeer system it makes a "secure" connection to HomeSeer servers to provide the LAN-IP your system is running on, say for example 192.168.1.123

    All that http://find.homeseer.com does for you is report back the IP allowing you to click on it versus knowing what IP your router handed out. This info is not exactly your social security number, credit card info, banking information, or anything useful to anybody but you. I'll happily tell you my HomeSeer system runs on http://192.168.0.5 and you try to get past my firewall and other protections. Without knowledge of my WAN IP you wouldn't even get to the front door. Ideally you setup static DHCP reservation and just remember your http://LAN-IP, but the http://find.homeseer.com method is a nice way for those who prefer to plug-and-play their purchase and not know all the technical details if they can avoid them.

    Anyway, if you don't like the lame browser security warning on an info page that carries no or low security risk, then just add an S and visit https://find.homeseer.com/ instead.

    Did you really wait four years for that? And yes, maybe HomeSeer should have done an auto redirect, configure HSTS, and remove Diffie-Hellman and RC4 support, but then things get technical quick and I haven't even started on what options are available.

    If you want to review their server SSL/TLS security settings, then use a 3rd party website such as: https://www.ssllabs.com/ssltest/anal...d.homeseer.com

    As for getting a "NOT SECURE" connection for your local environment, perhaps read the HomeSeer manual on how to fix that. Properly would be via a purchased CA-verified certificate, such as a Comodo/RapidSSL which you can buy as cheap as $5/year, or you can even go free via LetsEncrypt CA system, but then you need to figure out how to renew that every 3-months and understand how a local CA proxy works to do those manually (they got an awesome manual for this). Another free option to encrypt data is via a self-signed certificate, but then technically you still get those browser warnings, unless you do a proper CA level self-signed certificate and then add your own CA to the root certificate store on all your systems. Then for you and your devices the warnings are gone, but everybody else in the world would still see them.

    Even with the warning, the data is still encrypted, it is just a warning saying "only proceed if you trust the one who created this certificate".

    Unless of course you stopped trusting yourself, but there are different forums to help on that

    PS: Added "secure" in quotes as I'm not 100% sure without WireShark/Fiddler2 confirmation and I can't be bothered to verify or care for that matter if the world knows my LAN IP. Somebody else might jump in to confirm.

    Comment


      #3
      find.homeseer.com knows your public IP (WAN) address. It uses this to lookup what private IP addresses your system is using. Unless you disable your Hometroller and Z-net sends their private IP address to HomeSeer.

      Comment


        #4
        Thanks much for your responses. I appreciate you taking the time. So, RoChess, in one part of your response you said,

        “…maybe HomeSeer should have done an auto redirect, configure HSTS, and remove Diffie-Hellman and RC4 support,…”

        Would you guys contend that a person wanting to do a reasonable job of securely deploying something like the Home Troller Zee S2 I’ve owned for a long time now should have at least a tangential knowledge of the terms you used in that quoted text above??? Configure HSTS??? Remove Diffie-Hellman and RC4 support???

        Because if so, I think it’s time for me to give up and toss this hardware in the trash and give up on my endeavor to SECURELY deploy any home automation.

        I’ve never heard of HSTS though I did look it up just now and downloaded a doc that looks like it’s worth reading, from this site,

        https://www.globalsign.com/en/blog/w...w-do-i-use-it/

        Same with Diffie-Hellman. Nope. Not a clue.

        And who am I and how long have I lived under a rock??? Well, I am a retired (2013) MSEE with 40 years of experience, most of it at a large national laboratory where I focused on data collection and data analysis. I worked closely with a large IT organization for decades but who truly knew how to keep data secure but, and this is key, I am NOT MYSELF an IT expert, not even close but you’ve likely guessed that already. Bottom line, network security it NOT a simple topic and if you’re telling me I sort of need to become network expert to do what I want to do SECURELY, then again, it’s time to give up and take a hammer to my Home Troller.

        We bought a new home in a very large retirement community (3000 homes) 5 years ago and the builder supplied the home with a competitor’s (not HomeSeer) network automation system. I set it up briefly, got it working and then went on the company’s blog and started asking “how secure is this system?” I was mainly derided for even asking and so that hardware went in the trash. Then I spent quite a while reading and trying to understand what other system out there might be the best and most understandable from a network security point of view. I dinked around long enough that I got frustrated and said “dive in, try something” and HomeSeer typically had the best reviews. That’s where the Home Troller purchase in early 2016 came from.

        In that 3000 home community, I am maybe one of about 10 residents who folks turn to often (in our local blog) to ask technical questions about how this or that home system works (solar panels, indoor fire sprinklers (oh what a nightmare they turned out to be), whole home ventilation systems, fiber to the home ISPs) and so forth. I know a lot about those systems but if someone asks me about security of home networks, nope, I tell them to hunt elsewhere for answers.

        Where you spoke about

        “…Properly would be via a purchased CA-verified certificate, such as a Comodo/RapidSSL which you can buy as cheap as $5/year, or you can even go free via LetsEncrypt CA system…”

        Again, clueless on my end. I have a home security camera that I was wanting to deploy that was recommended by a friend, a camera that, after I bought it, said it supported https but ONLY if I learned what it meant to deploy MY OWN SECURITY CERTIFICATE. You obviously know about doing such but I personally know not one person I could turn to (other than you guys) who would be able to share with me when and how we need to make and deploy our own security certificates. No bank has EVER asked me to create the lock and what is behind the lock on the secure websites they offer. And I’ve heard in recent times that even that security might not be so good anymore.

        I am quite technically competent but NOT in network security and my fear is I’m learning that I must become an expert in that field if I want to answer the question of

        “How to securely deploy a system like the Home Seer Home Troller”.

        I did, by the way, RoChess, do this that you suggested,

        “If you want to review their server SSL/TLS security settings, then use a 3rd party website such as: https://www.ssllabs.com/ssltest/anal...d.homeseer.com

        Oh my, that was a lot to watch and NOT understand…. Saved a copy of the listing. Pretty amazing…. I do know something about Heartbleed and a couple other terms that went flying by there but “Zombie Poodle”, “Bleichenbacher” and many others??? Nope…. Must have missed class and do note that I went to school back in the 70’s when Fortran (google it) was being taught so modern network topology was not yet on the radar.

        So you suggested reading the Homeseer manual (what doc exactly is that, the HomeTroller manual in my case??). Any other docs you might point me to that would help me get in the door without having to go back to college???

        And bottom line, do you think the Home Troller Zee S2 can be deployed and used with the HSTouch APP (or some other APP) (stopped short of ever trying any HomeSeer APP) where I can have some reasonable confidence the bad guys will be excluded from using my home automation for me???

        Comment


          #5
          The short answer is that your Hometroller is secure as long as you do not expose your local network to the internet through a port forwarding rule in your router. When you used find.homeseer.com to connect, you were connecting locally. You would not be able to connect to it from outside your local network. If you connect to it remotely through MyHS.com, it is still secure in that MyHS creates a secure tunnel specific fro the connection between the HomeSeer secure servers and your home system. Of course that security is dependent on how secure the MyHS servers are, but your home system is never directly exposed to the internet unless you open up your router.

          The first question to answer is do you want to expose your local network through an open external port on your router? If not, there is no reason to use SSL on your HomeSeer system.
          HS4 Pro, 4.2.19.0 Windows 10 pro, Supermicro LP Xeon

          Comment


            #6
            The beauty of HomeSeer is that you can use it totally off-line.

            Amazon Alexa, Apple HomeKit, Google Assistant (and Nest stuff they bought), Samsung SmartThings, and dozens of others will freak out and leave you with a dumb home in most cases.

            That means if you keep it off-line, then nobody will ever be able to hack your system remotely, unless they show up at your door and you let them in. Of course being able to view status remotely that all doors are locked, lights are off, security system armed, etc. are very beneficial things to the owner of the smart home.

            HomeSeer allows you to do this secure as well via a nice tunnel on myHS which relies on the same methods as `find` with a secure tunnel (another preferred method by most is to rely on a VPN with the OpenVPN open-source community edition very popular for this).

            The documentation you used that said to use http://find.homeseer.com/ was probably outdated, and you could have simply used https://find.homeseer.com/ or rely directly on the known local LAN-IP.

            Enabling encryption for HomeSeer is easy, just click on Tools > Setup > switch to "Labs" tab, and check the "Enable SSL Secure Server" checkbox. This will trigger HomeSeer to rely on an existing PFX (expired one for me on old install, but once again this still keeps the connection encrypted if you trust the certificate, which I do). The PFX is located in root HomeSeer folder as "server.pfx" and needs to be a password encrypted one containing the corresponding private key.

            To activate SSL/TLS encryption in HomeSeer with a proper certificate and not have to worry about warnings you can safely ignore, my advice is to not nickel and dime on trying to do the full CA-based self-signed ways or LetsEncrypt, but to simply buy one from a real CA (Certificate Authority). Existing CA companies that your operating system trusts can be found by looking at the Root certificate store, for Windows you do that by WinKey+R (Run) -> mmc [enter] -> acknowledge ACL security warning to run program -> File -> Add/Remove snap-in -> double click "certificates" -> select "Computer Account" -> leave it at local and click Finish -> close dialog via OK -> on right side double click certificates -> double click "Trusted Root Certification Authorities" -> double click certificates.. and then finally you are presented with list of all the CA's your system trusts. Some CAs valid till 2043 even and there is also the "Third-Party Root Certificate Authorities" store.

            The place I buy all my certificates from is $23.52 for 4-year certificate (in 2-year block due to new renewal guidelines), and I'd be happy to talk you through that, but consider the following first.

            There is no need normally to worry about encryption locally, unless you do not trust others that can gain access to your network. But it is healthy to be paranoid and relying on an expired self-signed HomeSeer certificate is still better than nothing. Segmenting your network is another way to solve it while remaining unencrypted by using a dedicated router to place all your HomeSeer stuff behind. Some even take this one step further and have a dedicated network for IoT Wi-Fi devices, another for perhaps IP cameras, one for guest Wi-Fi, one for personal Wi-Fi, and what not. Configuring multi-cast, port-forwarding, and keeping it all secure gets extremely tricky them if the networks need to communicate between them. This can also be done with a single advanced router via VLANs and other nifty tricks. Popular hardware that makes this process easy is Ubiquity UniFi range of network equipment.

            As for creating a non-expired self-signed certificate, the most common method is via OpenSSL, but Microsoft always had full support to do this, and it relies on the same mmc tool as explained earlier. The easiest guide I can find to talk you through a secure SHA256 certificate is available @ https://blogs.msdn.microsoft.com/may...erver-2012-r2/

            Then replace the server.pfx file provided by HomeSeer and adjust password inside HomeSeer setup input field accordingly.

            You can also install the root certificate on any other device if you do not want the "this certificate is not trusted, would you like to continue?" warning. This still means you are encrypted/secure, because you know YOU are the one who created it and trust yourself. In most browsers this shows as an encrypted lock covered by a little yellow warning flag.

            Comment


              #7
              Originally posted by diitto View Post
              ...So you suggested reading the Homeseer manual (what doc exactly is that, the HomeTroller manual in my case??). Any other docs you might point me to that would help me get in the door without having to go back to college???...
              You have 40 years of experience with a Masters in Electrical Engineering and you can't figure out how to do a simple Google search or send an email to HomeSeer or call them to find the documentation or just browser homeseer.com???

              Comment


                #8
                Thanks rprade and RoChess. Lots of good information there. I truly appreciate you guys taking the time to offer the help. I will read it over and continue to absorb. Likely will have more questions but you've given me a good re-start on revisiting my Home Troller.. thanks much...

                Comment

                Working...
                X