Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Looking at the thumbprint of your new certificate that you uploaded for the linux testers is SHA256 with 2048 key length.. It also works with Windows - you probably already knew that... Good. Thanks!!

    After the holidays I might build a test system and expose it to SSL Labs for fun... BUT, my hunch is that it will find something that we didn't know about... It is worth doing it tough.

    Originally posted by rjh View Post
    I think the cert specifies this. I don't don't specify any of this when I authenticate the stream.

    Maybe if someone can enable SSL and expose their system to the Internet we can check it with:

    https://www.ssllabs.com/ssltest/

    And see what it finds.
    HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

    Comment


      On Windows, the SSL protocols are set by registry entries, and this tool is an easy way to set them up:

      https://www.nartac.com/Products/IISCrypto

      So if there are some insecure protocols enabled, you can use the tool to lock it down as you like.

      Not sure yet how this is controlled on Linux.

      Originally posted by Krumpy View Post
      Looking at the thumbprint of your new certificate that you uploaded for the linux testers is SHA256 with 2048 key length.. It also works with Windows - you probably already knew that... Good. Thanks!!

      After the holidays I might build a test system and expose it to SSL Labs for fun... BUT, my hunch is that it will find something that we didn't know about... It is worth doing it tough.
      💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

      Comment


        Originally posted by rjh View Post
        I don't plan on supporting SSL with HSTouch, that would require new HSTouch clients. We will be supporting it with the new mobile client we are working on.

        The SSL support that was just added is for web access.
        Rich,

        What will be the reason for not implementing SSL with HSTouch clients? 1) the extensive amount of work or 2) the fact that other options are available to resolve the security issues?

        This also bring me to the fact that you mentioned that HSTouch will be supported in the future. What type of support could we expect?

        1) resolving security fixes
        2) bug fixes
        3) addition of functionality

        And how long do you plan support after the mobile app is available.

        ---
        John

        Comment


          Excellent point. I have been down this rabbit hole before. There are some good best practices mentioned on the following site:

          https://github.com/ssllabs/research/...Best-Practices

          The Windows reg keys are not that hidden if I recall. Folks will need to either download the aforementioned tool or research how to enable/disable the protocols in the SCHANNEL subsystem. To Rich's point, this is the same with IIS as it is with HomeSeer. I guess that is the nice thing about Windows as they both use the same technologies....

          HKey_Local_Machine\System\CurrentControlSet\Control\Security Providers \SCHANNEL\Protocols
          Last edited by Krumpy; December 22, 2017, 09:59 PM.
          HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

          Comment


            HSTouch already has a security mechanism for the connection, so I don't see a big need to re-write that. It would be a lot of work to rewrite the connection protocols. Nothing is ruled out though. We intend to keep supporting HSTouch and adding to it.

            Originally posted by John245 View Post
            Rich,

            What will be the reason for not implementing SSL with HSTouch clients? 1) the extensive amount of work or 2) the fact that other options are available to resolve the security issues?

            This also bring me to the fact that you mentioned that HSTouch will be supported in the future. What type of support could we expect?

            1) resolving security fixes
            2) bug fixes
            3) addition of functionality

            And how long do you plan support after the mobile app is available.

            ---
            John
            💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

            Comment


              You can see why this is not really something for the average user to deal with, hence why MyHS is a better solution for the majority of users. But its in there for the more technical to tackle if they want.

              Originally posted by Krumpy View Post
              Excellent point. I have been down this rabbit hole before. There are some good best practices mentioned on the following site:

              https://github.com/ssllabs/research/...Best-Practices

              The Windows reg keys are not that hidden if I recall. Folks will need to either download the aforementioned tool is research how to enable/disable the protocols in the SCHANNEL subsystem. To Rich's point, this is the same with IIS as it is with HomeSeer. I guess that is the nice thing about Windows as they both use the same technologies....

              HKey_Local_Machine\System\CurrentControlSet\Control\Security Providers \SCHANNEL\Protocols
              💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

              Comment


                Originally posted by rjh View Post
                I don't plan on supporting SSL with HSTouch, that would require new HSTouch clients. We will be supporting it with the new mobile client we are working on.
                Rich,

                When the new version of HSTouch becomes available, should we expect that our current applications will work without extensive changes?

                Comment


                  You mean HSTouch applications? If so, then Rich I believe is saying that he is not intending on applying the solution that has been discussed within this thread to HSTouch as it is not using web technologies in terms of the data stream. To change this architecture would require a major change to all of the HSTouch communication technologies.

                  He has stated that there is another user interface coming which will utilize the same communication stream as discussed in this thread. But that is somewhat outside of the purpose of this thread as it has not been released yet.

                  Just trying to keep things somewhat organized.

                  Originally posted by logbuilder View Post
                  Rich,

                  When the new version of HSTouch becomes available, should we expect that our current applications will work without extensive changes?
                  HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                  Comment


                    Originally posted by rjh View Post
                    You can see why this is not really something for the average user to deal with, hence why MyHS is a better solution for the majority of users. But its in there for the more technical to tackle if they want.
                    I am not sure that I completely agree with you.

                    I do agree with you that reading and understanding secure web technologies best practices and how to configure them within the Windows registry is outside of the scope of the novice user. It's am ever evolving process where even the experts sometimes conflict each other in terms of opinions. Yes, they are opinions. I am certainly not a definitive expert.

                    But, the challenge I have with recommending myHS as a secure method of getting to someone's remote HS Web server is that I have been burned by the issue whereas all of a sudden users showed up in my HS user account area that I did not create myself. Second, myHS is a cloud technology that utilizes a Microsoft cloud service and your infrastructure acts as a man in the middle "tunneling" technology. No penetration testing has been performed, or at least published thus far, and that there are just a lot of things that could go wrong if the "right" wrong thing occurred.

                    I would call myHS a novice user's best choice if they want to accept the associating risks by using such a technology. Not sure if they fully understand the associating risks. For some there is little to no risks, to someone where HomeSeer is Internet accessible and their livelihood is at stake, well??? Not sure that I would trust all of the cloud technologies involved in myHS if my HS system controlled sensitive technologies at my house.

                    Having said that, the challenge is that HomeSeer Technologies does not control this path end to end. If you did, then I would have less concerns. That is just the issue, HomeSeer Technologies does not control what happens end to end in the Internet connected data stream! So, my concerns are in protecting my interests; not only in terms of my house (and so on), but also in terms of what could happen to HomeSeer Technologies as a company if the "right" wrong thing happened in terms of a breach with myHS/HomeSeer, etc.

                    Security is not cheap. You get what you put in. Even large organizations which employ many security staff have been breached. Target, Home Depot, Equifax, etc.

                    For those folks that are willing to accept the risks, myHS is a good solution. For folks that want to be in control of engineering their solution, the new HTTPS web service is their best solution. I think that we can write a white paper for even intermediate users to utilize the new security functionality that you have added in the latest beta build.

                    The key is that users now have options based on the risk level they want to accept!

                    What you have done in the past week is completely awesome! And very appreciated! I am very impressed as you are working your tail off with this beta. You have shown that you are very agile and can handle several projects/efforts at once to satisfy your user community. This is why I have been a loyal user for the past 19 or 20 years. I enjoy this community, and love that several of us are working with you in attempts of improving the security structure of the product.
                    Last edited by Krumpy; December 22, 2017, 10:09 PM.
                    HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                    Comment


                      I understand the concerns, hence the reason I went and added SSL.

                      I would like support for this to be on the forums, maybe someone can create a "HowTo" so users who want complete control of their connections can get things working. It would have to layout how to set up port forwarding and the creation of SSL certs.

                      Imagine if we added "official" support for this? Supporting it through our tech support would be a nightmare. We would have to walk users through SSL certificate setup, port forwarding, and many other networking issues. That is why I don't to make this a feature that we help users with in regards to setting it up. MyHS is difficult enough. Some users have routers and PC anti virus that blocks outgoing ports and we have walk users though these types of issues when they don't know what a port is. I think you can see the problem.

                      I think it is great that this option exists. I don't know of many HA systems that allow this, most are all cloud based.

                      Originally posted by Krumpy View Post
                      I am not sure that I completely agree with you.

                      I do agree with you that reading and understanding secure web technologies best practices and how to configure them within the Windows registry is outside of the scope of the novice user. It's am ever evolving process where even the experts sometimes conflict each other in terms of opinions. Yes, they are opinions. I am certainly not a definitive expert.

                      But, the challenge I have with recommending myHS as a secure method of getting to someone's remote HS Web server is that I have been burned by the issue whereas all of a sudden users showed up in my HS user account area that I did not create myself. Second, myHS is a cloud technology that utilizes a Microsoft cloud service and your infrastructure acts as a man in the middle "tunneling" technology. No penetration testing has been performed, or at least published thus far, and that there are just a lot of things that could go wrong if the "right" wrong thing occurred.

                      I would call myHS a novice user's best choice if they want to accept the associating risks by using such a technology. Not sure if they fully understand the associating risks. For some there is little to no risks, to someone where HomeSeer is Internet accessible and their livelihood is at stake, well??? Not sure that I would trust all of the cloud technologies involved in myHS if my HS system controlled sensitive technologies at my house.

                      Having said that, the challenge is that HomeSeer Technologies does not control this path end to end. If you did, then I would have less concerns. That is just the issue, HomeSeer Technologies does not control what happens end to end in the Internet connected data stream! So, my concerns are in protecting my interests; not only in terms of my house (and so on), but also in terms of what could happen to HomeSeer Technologies as a company if the "right" wrong thing happened in terms of a breach with myHS/HomeSeer, etc.

                      Security is not cheap. You get what you put in. Even large organizations which employ many security staff have been breached. Target, Home Depot, Equifax, etc.

                      For those folks that are willing to accept the risks, myHS is a good solution. For folks that want to be in control of engineering their solution, the new HTTPS web service is their best solution. I think that we can write a white paper for even intermediate users to utilize the new security functionality that you have added in the latest beta build.

                      The key is that users now have options based on the risk level they want to accept!

                      What you have done in the past week is completely awesome! And very appreciated! I am very impressed as you are working your tail off with this beta. You have shown that you are very agile and can handle several projects/efforts at once to satisfy your user community. This is why I have been a loyal user for the past 19 or 20 years. I enjoy this community, and love that several of us are working with you in attempts of improving the security structure of the product.
                      💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

                      Comment


                        Originally posted by Krumpy View Post
                        I think that we can write a white paper for even intermediate users to utilize the new security functionality that you have added in the latest beta build.
                        I would be first in line to see and use this.

                        Thanks

                        Comment


                          Homeseer .398 with wildcard certificate from external Certificate Authority

                          From Krumpy talking about the HomeSeer Web Interface with SSL support enabled: "Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)?"

                          Absolutely!

                          Finally got to the weekend, have the time, and happen to have a wildcard certificate from AlphaSSL for my domain, bigfastnet.com. The certificate is for *.bigfastnet.com and is a SHA-256 certificate. It chains thru AlphaSSL up to the GlobalSign root. (See attached screen capture of the certificate info.)

                          Setup:
                          • I have DNS for bigfastnet.com running internally to my home network - homeseer.bigfastnet.com is properly defined in DNS.
                          • HS3 Pro installed and running on Windows 10.


                          Changes:
                          • Went into C:\Program Files (x86)\HomeSeer HS3 and replaced the self-signed certificate included with the .398 beta with my *.bigfastnet.com certificate.
                          • In HS3 Tools -> Setup -> Labs, put in the SSL Server Certificate Password, checked the Enable SSL Secure Server.
                          • Restarted HS3 Pro to "reset all the marbles."


                          Results:
                          • https://homeseer.bigfastnet.com does exactly what you would expect. Every page I hit is encrypted. Not seeing any operational issues.
                          • Both Safari and Chrome see Homeseer properly secured.
                          • Been working on Homeseer for several hours and the SSL support appears to "just work".


                          Other:
                          I purchased my wildcard certificate from SSL2BUY.com because they were inexpensive and quick.
                          If you are looking for certificates for your company, Digicert.com has done well by me over the years. Recommended!


                          I'll keep using it and report back any abnormalities.
                          Attached Files

                          Comment


                            Originally posted by jjason View Post
                            From Krumpy talking about the HomeSeer Web Interface with SSL support enabled: "Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)?"

                            Absolutely!

                            Finally got to the weekend, have the time, and happen to have a wildcard certificate from AlphaSSL for my domain, bigfastnet.com. The certificate is for *.bigfastnet.com and is a SHA-256 certificate. It chains thru AlphaSSL up to the GlobalSign root. (See attached screen capture of the certificate info.)

                            Setup:
                            • I have DNS for bigfastnet.com running internally to my home network - homeseer.bigfastnet.com is properly defined in DNS.
                            • HS3 Pro installed and running on Windows 10.


                            Changes:
                            • Went into C:\Program Files (x86)\HomeSeer HS3 and replaced the self-signed certificate included with the .398 beta with my *.bigfastnet.com certificate.
                            • In HS3 Tools -> Setup -> Labs, put in the SSL Server Certificate Password, checked the Enable SSL Secure Server.
                            • Restarted HS3 Pro to "reset all the marbles."


                            Results:
                            • https://homeseer.bigfastnet.com does exactly what you would expect. Every page I hit is encrypted. Not seeing any operational issues.
                            • Both Safari and Chrome see Homeseer properly secured.
                            • Been working on Homeseer for several hours and the SSL support appears to "just work".


                            Other:
                            I purchased my wildcard certificate from SSL2BUY.com because they were inexpensive and quick.
                            If you are looking for certificates for your company, Digicert.com has done well by me over the years. Recommended!


                            I'll keep using it and report back any abnormalities.
                            Excellent work!


                            How is the web server holding up? Previously when enabling SSL the web server would just stop working after a few hours.
                            HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                            Running on Windows 10 (64) virtualized
                            on ESXi (Fujitsu Primergy TX150 S8).
                            WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                            Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                            Comment


                              Thanks for this as well... I didn't even know about a wild card certificate.
                              I use a certificate for my e-mail server currently - though, it's specific to my email.
                              So maybe a wild card certificate would help for both HS and my e-mail server since I can specify sub-domains...

                              Robert
                              Last edited by langenet; December 28, 2017, 10:38 AM.
                              HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

                              Comment


                                I too have a wildcard cert for my domain and have it running now since the 24th after moving to .398 from .397. I like that I don't need the VPN headaches.

                                It always bothered me that I had to let my tracking app (EgiGeoZone) in using http but now that is moved to secure too and while also still doing nat and port forwarding at the router.

                                Next I need to work on HSBuddy and get it connected secure. App is ready, just need to finish setting it up to move from 80 to 443.

                                So far so good. Now I too need to run SSL Labs on it to see where I sit.

                                Michael
                                HS3Pro & HS4Pro on Win2012R2
                                Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                                BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                                Comment

                                Working...
                                X