Announcement

**John245** · February 28, 2017, 06:25 AM

Originally posted by Moskus View Post

So there's a bug in HomeSeer that give unauthorized users access to their HS systems. And apparently this is really easy to access other systems.

Rich says he has this fixed in beta .311 which is available here, and I'm currently installing despite my skepticism for betas.

But while we're looking at security issues, can we talk about the horribly buggy HTTPS web server built into HS3?!
Why isn't this working properly?!
I can't for the life of me not understand why HTTPS isn't available and being promoted as a more secure connection.

After all, HomeSeer is controlling our lives. It would be great if it also attempted to be somewhat secure.

+1
---
John

**drozwood90** · February 28, 2017, 12:37 PM

I do not know if there are bugs in the HTTPS web server or not - I do not use this...but I'd personally rather have the team focusing on product improvements as they have offered other solutions (the My Homeseer service). Personally, I just use OpenVPN and forget about it.

If I EVER really NEED to access my system through remote, I just wait for the OpenVPN link to establish.

If I can't wait that long, typically it is only 1 specific thing...and you could use Push Bullet or as I do, use AutoRemote. I use this for things like opening my garage, controlling certain lights in the house. Aside from that, I typically can just wait for the OpenVPN + HSTouch to open up.

--Dan

**sparkman** · February 28, 2017, 01:28 PM

I had not heard about any bugs either, but it does use an outdated version of SSL/TLS so is pretty much useless at this point. I believe HS has stated in other threads and on Bugzilla that they are not planning to support newer versions of SLL/TLS as the MyHS service is a replacement for it. I don't quite agree with that stance and they should remove the SSL functionality completely if that is indeed the case. I use a VPN as well for most of my remote access, but having options is always nice.

Cheers
Al

**Moskus** · March 1, 2017, 02:03 AM

Originally posted by sparkman View Post

I believe HS has stated in other threads and on Bugzilla that they are not planning to support newer versions of SLL/TLS as the MyHS service is a replacement for it.

There's a problem with that argument.

HomeSeer is sold and markedet as a product not depending on cloud connections, and running locally.
Being able to securely access HomeSeer only through HSTs cloud service is somewhat strange then, isn't it?

**Bestgear** · March 1, 2017, 02:55 AM

Originally posted by Moskus View Post

There's a problem with that argument.

HomeSeer is sold and marketed as a product not depending on cloud connections, and running locally.
Being able to securely access HomeSeer only through HSTs cloud service is somewhat strange then, isn't it?

100% agree....and many still question the cloud's exact place within HA....considering latency and reliance on systems you have no guarantee on availability.

**sparkman** · March 1, 2017, 08:14 AM

We need native HTTPS support!

Originally posted by Moskus View Post

There's a problem with that argument.

HomeSeer is sold and markedet as a product not depending on cloud connections, and running locally.
Being able to securely access HomeSeer only through HSTs cloud service is somewhat strange then, isn't it?

I'm not sure it's an argument. HST markets itself as being able to run locally without the cloud, but not about being able to access it remotely without the cloud. Remote access requires 3rd party services (ie internet/the cloud) to work. They substituted one method of access over that for another.

As I stated in my previous post, I don't agree with HST's direction either and filed a bugzilla on it when Chrome was updated and no longer supported the old TLS. I don't agree with Google's/Chrome's stance either, but I suspect they are even less open to feedback than HST is.

You still have an option of implementing your own VPN, which is what I did. Unless most HS users file a bugzilla asking HS to update SSL/TLS, I expect nothing will get done.

Cheers
Al

**Moskus** · March 1, 2017, 08:19 AM

For now I'm happily running using a nginx proxy, which using this post and my existing certificate was relatively easy.

I just wish that HST was taking this seriously, as a proper web server would be preferable.

**rjh** · March 1, 2017, 09:09 AM

https is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.

**Bestgear** · March 1, 2017, 09:38 AM

Originally posted by rjh View Post

https is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.

I think "impossible" is a very strong word and SSL/Certs are normally an easy setup for those that feel they need it.

I would also say that there is a very strong case not to depend on any cloud service, including MyHS within Homeseer or indeed any HA product. Cloud can add value, but we all know key functionality is easily tripped up due to availability or rather lack of it.

It would be a sad day when and if HS relies on MyHS and if the local web interface were to dissapear I am sure many users would too.

David

**rjh** · March 1, 2017, 10:02 AM

The local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.

You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.

I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?

There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.

Originally posted by Bestgear View Post

I think "impossible" is a very strong word and SSL/Certs are normally an easy setup for those that feel they need it.

I would also say that there is a very strong case not to depend on any cloud service, including MyHS within Homeseer or indeed any HA product. Cloud can add value, but we all know key functionality is easily tripped up due to availability or rather lack of it.

It would be a sad day when and if HS relies on MyHS and if the local web interface were to dissapear I am sure many users would too.

David

**Moskus** · March 1, 2017, 11:57 AM

Originally posted by rjh View Post

I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?

I have two-three issues with MyHS:

MyHS is much faster now than it was before, but it is still noticably slower. We need a EU server.
Can you tell me how I can add support for e.g. my own app, WinSeer? I'm sure it's possible but I can't figure out how.
I want to stay logged in for as long as I want.

Other than that, I don't have anything against MyHS, but it is still yet another (relatively slow) cloud connection I am hoping to avoid.

**jon00** · March 1, 2017, 12:16 PM

Originally posted by Moskus View Post

I have two-three issues with MyHS:

MyHS is much faster now than it was before, but it is still noticably slower. We need a EU server.

What slow speeds are you experiencing Moskus?

**rjh** · March 1, 2017, 01:15 PM

MyHS can now use multiple servers, so setting up an EU server is possible and we are looking into it. It would speed things up.

But I would think you would use HSTouch for remote access, I never use the web interface, HSTouch is much easier and HSTouch uses very little data so it should be just about as fast as local connection.

There is no timeout if you leave the web browser open with MyHS, so you should be able to stay connected.

As for your own app, if you are trying to access an HS system through MyHS just use the JSON interface. You pass the user/pass in the command so accessing is easy. If you need some docs on this, let me know.

Originally posted by Moskus View Post

I have two-three issues with MyHS:

MyHS is much faster now than it was before, but it is still noticably slower. We need a EU server.
Can you tell me how I can add support for e.g. my own app, WinSeer? I'm sure it's possible but I can't figure out how.
I want to stay logged in for as long as I want.

Other than that, I don't have anything against MyHS, but it is still yet another (relatively slow) cloud connection I am hoping to avoid.

**cheeryfool** · March 1, 2017, 01:23 PM

Originally posted by jon00 View Post

What slow speeds are you experiencing Moskus?

I know that this is only a guide, but I see ping times from East Coast USA to myhs at ~35ms. I see transatlantic pings mostly of 70-90ms - depending on site.

What do you guys in Europe see for myhs currently?

Announcement

We need native HTTPS support!

We need native HTTPS support!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment