Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • lifespeed
    replied
    Originally posted by beerygaz View Post
    Could we have a South African server then too please?

    Setting aside the political objections to having all of my traffic having to traverse a network in the US.

    Page load time direct: 3s
    Page load time using MyHS from South Africa: 32s!!

    I'm sorry, but I find it very parochial to assume that MyHS is the panacea for everyone just because the majority of your user base is in the USA.

    As for VPN access, having to establish a VPN to my home network from my phone every time I want to access HS is just not a feasible solution.

    Oh, and the "use HS Touch" response is also unacceptable given the fact that it's buggy, incomplete and not receiving the development attention it deserves these days.
    These are all valid points. However, if the desire is to use the web interface remotely (instead of HSTouch), this *appears* to be available via HTTPS in the network settings tab. I tried it, but had not yet created a security certificate so Firefox for Android rejected it.

    Leave a comment:


  • beerygaz
    replied
    HTTPS is exactly the encryption I'm looking for to ensure not my credentials and hone automation commands are not sent in clear text. To help limit the possibility of man-in-the middle and other injection attacks https goes a long way.

    I fully agree that other means are necessary to identify possible compromises of the system.

    A great too that helped with that is Jon00's Whois plugin. But again, because I don't live in the USA that plugin won't work because my log format lists the date differently and HST won't address the bug.

    I thin this thread was started to try to highlight the need for SSL support and remind HST that many of us invested in this platform because if the openness and flexibility it offered. It very much feels like that's being taken away and we're being forced into compromised alternatives.


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • lveatch
    replied
    My understanding of HTTPS is that it does not provide security protection as you are expecting. Rather it encrypts the communication between the client and the server. This prevents the data from passing in clear text over the internet. HTTPS will not directly protect your HS system from being compromised. It would prevent someone from possibly capturing your HS id and password as it passed between your client and server.

    The SSL Certificate is to warn the user that you are indeed directly communicating to the intended server. However, there are (weekly) new methods attackers are using to trick you into going to fake sites to capture your login credentials. Here is a recent issue fixed in some modern web browsers, but recently in Chome (https://9to5mac.com/2017/04/20/how-t...ke-apple-site/)

    If there are security related vulnerability "bugs" in HS, those bugs would allow it to be compromised irregardless of HTTP or HTTPS. HTTPS would just mean that the attackers communication would be encrypted between their client and your HS system.

    Real security protections rely on the HS application developers and your network/firewall/user account management.

    User account management would entail setting up HSTouch, internet use only accounts, etc that do not have administrative privileges.

    Having additional built-in security related options such as system event triggers leveraging the current event engine or notifications on new account creation or changes, and remote logins would greatly reduce the affects of a compromise.

    When the HS log was still text (HS2), I wrote a simple perl script that monitored the text log for remote log-ins and notified me (email on phone). I've lost that ability in HS3 as the log is now a sqllite database. I have the base code changed but never implemented to query the database as I was focused on a windows to linux HS3 migration and plan to address on linux. However a built in capability to notify and admin email address simplify this for all.

    Leave a comment:


  • beerygaz
    replied
    Could we have a South African server then too please?

    Setting aside the political objections to having all of my traffic having to traverse a network in the US.

    Page load time direct: 3s
    Page load time using MyHS from South Africa: 32s!!

    I'm sorry, but I find it very parochial to assume that MyHS is the panacea for everyone just because the majority of your user base is in the USA.

    As for VPN access, having to establish a VPN to my home network from my phone every time I want to access HS is just not a feasible solution.

    Oh, and the "use HS Touch" response is also unacceptable given the fact that it's buggy, incomplete and not receiving the development attention it deserves these days.

    Leave a comment:


  • Kerat
    replied
    We need native HTTPS support!

    Originally posted by Moskus View Post
    I've successfully set up nginx with this purpose as mentioned in the first post. It works really well.



    But I still consider it as a band aid on what should be there right out of the box.

    I am fortunate, I have a PFsense firewall that is very flexible. I have my reverse proxy (HAproxy package in PFSense) setup using a few subdomains under my registered domain. To get to my home I have a A+ public DNS record that is updated by my dynamic DNS package in PFSense. I have a few CNAME records that point to my A+ records.
    I use the ACME Let's encrypt package for PFsense to manage and automate the updating of my SSL certificates for each of my subdomains. I had to add a custom TXT record to my public DNS for each SSL.
    Everything seems to be working like a champ. My next step is to harden my setup:

    1. Get client certificate authorization configured in the HAproxy client, in order to ensure that only devices I decide can access my HAproxy front end in the first place.

    2. ensure that I am using all the security best practices in my setup.

    3. Figure out how to get a log configured to enumerate what IP addresses are attempting to access my system what region they are in.


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • lifespeed
    replied
    yes, HTTPS please

    I agree 100%, HTTPS is a basic expectation of secure external access via the internet. VPN has it's place but should not be a necessity for a simple web interface or as a workaround for a lack of implementation of a basic feature.

    As an example, Emby media server is exposed to the internet, supports HTTPS external access and also has the native ability to run as a windows service on boot, no user login required.

    Leave a comment:


  • Moskus
    replied
    Originally posted by Timon View Post
    I have to disagree with that statement. A self signed cert is just as secure as a signed one for protecting the data. Any cert, be it signed or unsigned, will protect the connection and the data crossing it but only signed confirms the identity of the site you're connecting to. VPN connections are not signed but they secure just as well.
    THIS!

    Leave a comment:


  • Timon
    replied
    Originally posted by rjh View Post
    The local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.
    And it should stay but HTTPS should be added as well.

    Originally posted by rjh View Post
    You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.
    I have to disagree with your statement. A self signed cert is just as secure as a signed one for protecting the data. Any cert, be it signed or unsigned, will protect the connection and the data crossing it but only signed confirms the identity of the site you're connecting to. VPN connections are not signed but they secure just as well.

    To put it in other words. If I'm running a e-commerce server I MUST have a signed cert or my customers will not know if it's really me they are connecting to. For my own personal server that only my family connects to a self signed cert protects just as well as signed.

    Originally posted by rjh View Post
    I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?
    So when I'm away from home my connection to MyHS is secure but is the connection between MyHS and my controller at home secure or is it running in the clear?

    Originally posted by rjh View Post
    There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.
    VPN has always been my preferred way to communicate between my home and my remote devices but one should never leave HTTPS out of the picture.

    Originally posted by Moskus View Post
    I still think we need a proper SSL supported web server. You can even get free fully qualified certificates these days (take a look at letsencrypt.org), so there really aren't any excuses. We ARE in 2017, everything should be using SSL.
    I'll have to check them out and I agree EVERYTHING should be using SSL especially when it's going into and out of your home.
    Last edited by Timon; May 22, 2017, 01:47 PM.

    Leave a comment:


  • Krumpy
    replied
    There does not seem to be any debate anymore. Just silence with head in the sand. If more people would be concerned then there would be more action. Why should the software developers focus on this when not sufficient numbers of people care?

    The ultimate problem is that people don't care about security until they are compromised. Then they scream how can this happen. Most people don't want to invest the time and energy in their security posture until it is too late.

    It is not a matter of "if" but rather "when".. Myhs will become compromised if the appropriate due diligence is not practiced. Then there is a good chance that systems using this service will be impacted. We just don't know yet how they will be impacted...

    As it stands, the current HTTPS server helps somewhat, but ultimately I figure that it is ridden with security holes as the underlying technology does not appear to be maintained and patched.

    Leave a comment:


  • Moskus
    replied
    Originally posted by Archcantor View Post
    While Self-Signed certificates are not as secure as signed ones they do have value because the data is encrypted and snoopers can't see any clear login credentials. Using them is better than clear text.
    Yes, exactly! If it is a matter of encryption or no encryption for web traffic, there really should be no debate.

    Leave a comment:


  • Archcantor
    replied
    I had been using Stunnel and self-signed certificate to create HTTPS connections into HS3. It worked well but the encryption created CPU load on my old laptop. I eventually removed it and closed the outside ports, relying on HSTouch and MyHS.

    While Self-Signed certificates are not as secure as signed ones they do have value because the data is encrypted and snoopers can't see any clear login credentials. Using them is better than clear text.

    I understand your points about the value of MyHS but I'm one of those who like to keep my things local and independent and 100% within my control. Still, having the secure option of MyHS is good. -Rick

    Leave a comment:


  • TechFan
    replied
    Originally posted by Moskus View Post
    I've successfully set up nginx with this purpose as mentioned in the first post. It works really well.



    But I still consider it as a band aid on what should be there right out of the box.


    Hm. I'll try looking at this at some point.

    Leave a comment:


  • Moskus
    replied
    Originally posted by Kerat View Post
    So, I am trying to work on a way to get a reverse proxy configured with an SSL cert to allow https support on my Emby media player. If it works I will update to the latest version .312 and try getting HS added to this.
    I've successfully set up nginx with this purpose as mentioned in the first post. It works really well.

    But I still consider it as a band aid on what should be there right out of the box.

    Leave a comment:


  • Kerat
    replied
    We need native HTTPS support!

    So, I am trying to work on a way to get a reverse proxy configured with an SSL cert to allow https support on my Emby media player. If it works I will update to the latest version .312 and try getting HS added to this.


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • TechFan
    replied
    Originally posted by Krumpy View Post
    I want to thank HomeSeer Technologies for their consistent willingness to evolve. They have proven this time and time again. This may just be the horizon for the next evolution!
    Yes, thank you. Hoping for a bright and secure future with HS

    Originally posted by Krumpy View Post
    I personally think that a HTTPS web service capability is the simplified solution of security. Let me engineer the path to my HomeSeer system and allow me to host my HS environment via secure HTTPS web transactions. If there is a cost to purchase a official certificate, then let me make that decision whether the risk versus reward is justified. From my perspective, the cost of a official certificate is well worth the investment to protect my automation resources.

    Let's close that proper information systems security practices are all of our responsibilities. We must be a team and work together to ensure that our home automation systems are secure.
    Yes, using HS for many of us is about choice (to not use cloud services, create our own rules and scripts, secure or not secure, etc). If there is no tool for SSL, then we loose that choice. Doesn't HS need to use a secure tunnel between myhs and our systems anyway. . .

    Thanks again for providing the free myhs option.

    Leave a comment:

Working...
X