Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    We need native HTTPS support!

    So there's a bug in HomeSeer that give unauthorized users access to their HS systems. And apparently this is really easy to access other systems.

    Rich says he has this fixed in beta .311 which is available here, and I'm currently installing despite my skepticism for betas.

    But while we're looking at security issues, can we talk about the horribly buggy HTTPS web server built into HS3?!
    Why isn't this working properly?!
    I can't for the life of me not understand why HTTPS isn't available and being promoted as a more secure connection.

    After all, HomeSeer is controlling our lives. It would be great if it also attempted to be somewhat secure.
    HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
    Running on Windows 10 (64) virtualized
    on ESXi (Fujitsu Primergy TX150 S8).
    WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

    Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

    #2
    Originally posted by Moskus View Post
    So there's a bug in HomeSeer that give unauthorized users access to their HS systems. And apparently this is really easy to access other systems.

    Rich says he has this fixed in beta .311 which is available here, and I'm currently installing despite my skepticism for betas.

    But while we're looking at security issues, can we talk about the horribly buggy HTTPS web server built into HS3?!
    Why isn't this working properly?!
    I can't for the life of me not understand why HTTPS isn't available and being promoted as a more secure connection.

    After all, HomeSeer is controlling our lives. It would be great if it also attempted to be somewhat secure.


    +1
    ---
    John

    Comment


      #3
      I do not know if there are bugs in the HTTPS web server or not - I do not use this...but I'd personally rather have the team focusing on product improvements as they have offered other solutions (the My Homeseer service). Personally, I just use OpenVPN and forget about it.

      If I EVER really NEED to access my system through remote, I just wait for the OpenVPN link to establish.

      If I can't wait that long, typically it is only 1 specific thing...and you could use Push Bullet or as I do, use AutoRemote. I use this for things like opening my garage, controlling certain lights in the house. Aside from that, I typically can just wait for the OpenVPN + HSTouch to open up.

      --Dan
      Tasker, to a person who does Homeautomation...is like walking up to a Crack Treatment facility with a truck full of 3lb bags of crack. Then for each person that walks in and out smack them in the face with an open bag.

      Comment


        #4
        I had not heard about any bugs either, but it does use an outdated version of SSL/TLS so is pretty much useless at this point. I believe HS has stated in other threads and on Bugzilla that they are not planning to support newer versions of SLL/TLS as the MyHS service is a replacement for it. I don't quite agree with that stance and they should remove the SSL functionality completely if that is indeed the case. I use a VPN as well for most of my remote access, but having options is always nice.

        Cheers
        Al
        HS 3.0.0.548: 1990 Devices 1172 Events
        Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

        Comment


          #5
          Originally posted by sparkman View Post
          I believe HS has stated in other threads and on Bugzilla that they are not planning to support newer versions of SLL/TLS as the MyHS service is a replacement for it.
          There's a problem with that argument.

          HomeSeer is sold and markedet as a product not depending on cloud connections, and running locally.
          Being able to securely access HomeSeer only through HSTs cloud service is somewhat strange then, isn't it?
          HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
          Running on Windows 10 (64) virtualized
          on ESXi (Fujitsu Primergy TX150 S8).
          WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

          Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

          Comment


            #6
            Originally posted by Moskus View Post
            There's a problem with that argument.

            HomeSeer is sold and marketed as a product not depending on cloud connections, and running locally.
            Being able to securely access HomeSeer only through HSTs cloud service is somewhat strange then, isn't it?
            100% agree....and many still question the cloud's exact place within HA....considering latency and reliance on systems you have no guarantee on availability.
            ---------------------------------------------------http://weather.penicuik.org

            Comment


              #7
              We need native HTTPS support!

              Originally posted by Moskus View Post
              There's a problem with that argument.

              HomeSeer is sold and markedet as a product not depending on cloud connections, and running locally.
              Being able to securely access HomeSeer only through HSTs cloud service is somewhat strange then, isn't it?
              I'm not sure it's an argument. HST markets itself as being able to run locally without the cloud, but not about being able to access it remotely without the cloud. Remote access requires 3rd party services (ie internet/the cloud) to work. They substituted one method of access over that for another.

              As I stated in my previous post, I don't agree with HST's direction either and filed a bugzilla on it when Chrome was updated and no longer supported the old TLS. I don't agree with Google's/Chrome's stance either, but I suspect they are even less open to feedback than HST is. You still have an option of implementing your own VPN, which is what I did. Unless most HS users file a bugzilla asking HS to update SSL/TLS, I expect nothing will get done.

              Cheers
              Al
              Last edited by sparkman; March 1, 2017, 08:26 AM.
              HS 3.0.0.548: 1990 Devices 1172 Events
              Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

              Comment


                #8
                For now I'm happily running using a nginx proxy, which using this post and my existing certificate was relatively easy.

                I just wish that HST was taking this seriously, as a proper web server would be preferable.
                HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                Running on Windows 10 (64) virtualized
                on ESXi (Fujitsu Primergy TX150 S8).
                WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                Comment


                  #9
                  https is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.
                  website | buy now | support | youtube

                  Comment


                    #10
                    Originally posted by rjh View Post
                    https is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.


                    I think "impossible" is a very strong word and SSL/Certs are normally an easy setup for those that feel they need it.

                    I would also say that there is a very strong case not to depend on any cloud service, including MyHS within Homeseer or indeed any HA product. Cloud can add value, but we all know key functionality is easily tripped up due to availability or rather lack of it.

                    It would be a sad day when and if HS relies on MyHS and if the local web interface were to dissapear I am sure many users would too.




                    David
                    ---------------------------------------------------http://weather.penicuik.org

                    Comment


                      #11
                      The local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.

                      You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.

                      I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?

                      There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.

                      Originally posted by Bestgear View Post
                      I think "impossible" is a very strong word and SSL/Certs are normally an easy setup for those that feel they need it.

                      I would also say that there is a very strong case not to depend on any cloud service, including MyHS within Homeseer or indeed any HA product. Cloud can add value, but we all know key functionality is easily tripped up due to availability or rather lack of it.

                      It would be a sad day when and if HS relies on MyHS and if the local web interface were to dissapear I am sure many users would too.




                      David
                      website | buy now | support | youtube

                      Comment


                        #12
                        Originally posted by rjh View Post
                        I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?
                        I have two-three issues with MyHS:
                        1. MyHS is much faster now than it was before, but it is still noticably slower. We need a EU server.
                        2. Can you tell me how I can add support for e.g. my own app, WinSeer? I'm sure it's possible but I can't figure out how.
                        3. I want to stay logged in for as long as I want.


                        Other than that, I don't have anything against MyHS, but it is still yet another (relatively slow) cloud connection I am hoping to avoid.
                        HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                        Running on Windows 10 (64) virtualized
                        on ESXi (Fujitsu Primergy TX150 S8).
                        WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                        Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                        Comment


                          #13
                          Originally posted by Moskus View Post
                          I have two-three issues with MyHS:

                          MyHS is much faster now than it was before, but it is still noticably slower. We need a EU server.
                          What slow speeds are you experiencing Moskus?
                          Jon

                          Comment


                            #14
                            MyHS can now use multiple servers, so setting up an EU server is possible and we are looking into it. It would speed things up.

                            But I would think you would use HSTouch for remote access, I never use the web interface, HSTouch is much easier and HSTouch uses very little data so it should be just about as fast as local connection.

                            There is no timeout if you leave the web browser open with MyHS, so you should be able to stay connected.

                            As for your own app, if you are trying to access an HS system through MyHS just use the JSON interface. You pass the user/pass in the command so accessing is easy. If you need some docs on this, let me know.

                            Originally posted by Moskus View Post
                            I have two-three issues with MyHS:
                            1. MyHS is much faster now than it was before, but it is still noticably slower. We need a EU server.
                            2. Can you tell me how I can add support for e.g. my own app, WinSeer? I'm sure it's possible but I can't figure out how.
                            3. I want to stay logged in for as long as I want.


                            Other than that, I don't have anything against MyHS, but it is still yet another (relatively slow) cloud connection I am hoping to avoid.
                            website | buy now | support | youtube

                            Comment


                              #15
                              Originally posted by jon00 View Post
                              What slow speeds are you experiencing Moskus?
                              I know that this is only a guide, but I see ping times from East Coast USA to myhs at ~35ms. I see transatlantic pings mostly of 70-90ms - depending on site.

                              What do you guys in Europe see for myhs currently?
                              cheeryfool

                              Comment

                              Working...
                              X