Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Originally posted by rjh View Post
    307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?
    I am in SouthWest MS...

    You can use my myHS credentials to connect if you want. I suspect you'll see the same thing I am. Mine is the first connection. The second is a ZeeS2 I manage for a friend.
    HS4Pro Running on a Raspberry Pi4
    79 Z-Wave Nodes, 131 Events, 383 Devices
    Z-Wave, UPB, WiFi
    Plugins: EasyTrigger, weatherXML, OMNI, Z-Wave, Tuya, Device History
    HSTouch Clients: 3 Android, 1 Joggler

    Comment


      #32
      MyHS does not use the HSTouch plugin for web access, so that should not matter.

      Originally posted by TechFan View Post
      Rich,

      You don't think it might be the HSTouch plug-in version? Not sure what is in the newer releases. I updated to .85 for some reason (don't remember what), but I haven't seen any change lots/release notes for HSTouch plugin since. . .could be missing them. . .
      website | buy now | support | youtube

      Comment


        #33
        If you want to PM or email me your login I would be happy to try from here. If its ok from here, it might tell us something.

        Originally posted by rmasonjr View Post
        I am in SouthWest MS...

        You can use my myHS credentials to connect if you want. I suspect you'll see the same thing I am. Mine is the first connection. The second is a ZeeS2 I manage for a friend.
        website | buy now | support | youtube

        Comment


          #34
          Originally posted by rjh View Post
          For accessing MyHS with user/pass with JSON, see the help file here, and click on the JSON section. On the first page there is a sample URL that includes user/pass:

          http://homeseer.com/support/homeseer...DK/default.htm
          Perfect!

          That means that if I replace "demo@homeseer.com" and "demo100" with my own credentials, it should work?

          Code:
          https://connected2.homeseer.com/JSON?user=demo@homeseer.com&pass=demo100&request=getstatus
          EDIT: Yes, it does work!
          Well, that's something at least!
          Now, if we only had Gzip or anything like that enabled perhaps speed could improve.

          My GetStatus JSON string is long. I have 986 devices...
          HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
          Running on Windows 10 (64) virtualized
          on ESXi (Fujitsu Primergy TX150 S8).
          WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

          Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

          Comment


            #35
            Originally posted by rjh View Post
            But I would think you would use HSTouch for remote access, I never use the web interface, HSTouch is much easier and HSTouch uses very little data so it should be just about as fast as local connection.
            I use MYHS all the time for the web interface as well as HSTouch. The web interface is the only way to make changes to the system (such as event editing) while away from home. It's not super fast but it gets the job done.

            - Robert

            Comment


              #36
              Originally posted by Moskus View Post
              Perfect!

              That means that if I replace "demo@homeseer.com" and "demo100" with my own credentials, it should work?

              Code:
              https://connected2.homeseer.com/JSON?user=demo@homeseer.com&pass=demo100&request=getstatus
              EDIT: Yes, it does work!
              Well, that's something at least!
              Now, if we only had Gzip or anything like that enabled perhaps speed could improve.

              My GetStatus JSON string is long. I have 986 devices...
              I saw this today and thought I'd give it a try. I get do you want to open or save JSON.json from connected2.homeseer.com.

              I can us https://myhs.homeseer.com/ to access my system if I want. What gives?

              Robert
              HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

              Comment


                #37
                Rich,

                myHS is great for the average person. But keep in mind that we are all betting and depending on your infrastructure to protect our systems. MyHS is a global risk as if it was compromised then we all could potentially be impacted. Do you have knowledgeable staff on the team that will practice ethical hacking to ensure that your environment meets industry security practices and standards? If not, then I would encourage you to be careful with the myHS recommendation as a solution for secure connectivity to peoples homes as stuff does happen. I know that you mean well, but I would encourage you to be careful with statements that we should not have security concerns.

                Second, by keeping all traffic with the local web server (http based) unencrypted, we are not addressing security concerns that may exist within a Intranet. I myself would prefer to use HTTPS even on my local network to protect from eavesdropping and to maintain security of my home.

                Food for thought... Please do not eliminate the HTTPS capability. In fact, please upgrade it to support the latest crypto standards to meet industry standards.

                Originally posted by rjh View Post
                The local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.

                You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.

                I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?

                There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.
                Last edited by Krumpy; March 3, 2017, 12:02 PM.
                HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                Comment


                  #38
                  Originally posted by Krumpy View Post
                  Rich,

                  myHS is great for the average person. But keep in mind that we are all betting and depending on your infrastructure to protect our systems. MyHS is a global risk as if it was compromised then we all could potentially be impacted. Do you have knowledgeable staff on the team that will practice ethical hacking to ensure that your environment meets industry security practices and standards? If not, then I would encourage you to be careful with the myHS recommendation as a solution for secure connectivity to peoples homes.

                  Second, by keeping all traffic with the local web server (http based) unencrypted, we are not addressing security concerns that may exist within a Intranet. I myself would prefer to use HTTPS even on my local network to protect from eavesdropping and to maintain security of my home.

                  Food for thought... Please do not eliminate the HTTPS capability. In fact, please upgrade it to support the latest crypto standards to meet industry standards.
                  I agree with all of this.

                  Comment


                    #39
                    Originally posted by mloebl View Post
                    I agree with all of this.
                    Yes. I do as well.

                    Comment


                      #40
                      ... and I'm still surprised Rich didn't respond with a "Yes, we know it's stupid not to have proper SSL support, but we will address the issue ASAP".
                      HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                      Running on Windows 10 (64) virtualized
                      on ESXi (Fujitsu Primergy TX150 S8).
                      WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                      Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                      Comment


                        #41
                        Originally posted by mloebl View Post
                        I agree with all of this.
                        Originally posted by TechFan View Post
                        Yes. I do as well.
                        +1
                        stefxx

                        Comment


                          #42
                          My point to this post is just to bring awareness of these items. I want to thank HomeSeer Technologies for their consistent willingness to evolve. They have proven this time and time again. This may just be the horizon for the next evolution!

                          HomeSeer Technologies is in business to provide home automation solutions. Let's think of it as a sort of "Internet of Things". They have never represented that there are not inherent risks associated with home automation especially when they are connected to the Internet. We as users have all assumed associated risks by connecting our homes to networking platforms such as the Internet. There are many security articles of "IoT" devices and their inherent risks...

                          The difference between security novices and security experts are that security experts expect a breach and think of it not in manners of "if" but in manners of "when".

                          HomeSeer is a successful product. No argument. The pro of being a successful product results in increased risks as more people are aware of its functionality and potentially also its weaknesses.

                          Having a common glue such as MyHS allows a bad actor to potentially have a "path" to all of our homes. I give kudo's to HomeSeer Technologies to even attempt to build such a solution as from a developers perspective it is not easy to build secure solutions like this. It takes serious thoughts and a team of experts to maintain such a solution. All of this results in significant business costs.

                          I personally think that a HTTPS web service capability is the simplified solution of security. Let me engineer the path to my HomeSeer system and allow me to host my HS environment via secure HTTPS web transactions. If there is a cost to purchase a official certificate, then let me make that decision whether the risk versus reward is justified. From my perspective, the cost of a official certificate is well worth the investment to protect my automation resources.

                          But we all know that a certificate will not necessarily guarantee that a breach will not occur:
                          * How many of us utilize proper practices to keep our Windows system safe from intrusion? How many of us run HomeSeer using a legacy Windows operating system? How many of us run HomeSeer using the administrator account? How many of us implement a proper systems security patching maintenance? I could go on and on.

                          * How many of us use effective password practices? I am not sure, but my understanding that the default password for Homeseer is Default/default.... How many of us have changed it? I am not sure if this password credential is only accepted via local connection attempts or if it is also accept by HomeSeer for remote connections. You can extrapolate from there.

                          * How many of us have put thought to how our automation rules (events, etc) operate outside of the "happy path"? Do you have rules or events to counter a bad actor from setting your t-stat to below freezing temps or vice versa? I mean think of it.. What would happen?



                          Let's close that proper information systems security practices are all of our responsibilities. We must be a team and work together to ensure that our home automation systems are secure.
                          Last edited by Krumpy; March 3, 2017, 01:25 PM.
                          HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                          Comment


                            #43
                            So... because I frequently forget to close my windows, I don't need a front door with a lock?

                            End of the day, security is a responsibility of all of us. Novice users will probably be better off (read: more secure) by using MyHS anyway. However, since i am NOT a novice user, I choose to run NOTHING related to Home Automation in the cloud, and NOTHING is dependent on a Internet connection.

                            This is against a trend that is unstoppable anyway. Did anyone notice that Chrome is flagging some non-ssl sites as unsafe already? I wouldn't be surprised if browsers will start disabling non-ssl sites altogether by default soon...
                            stefxx

                            Comment


                              #44
                              Originally posted by Krumpy View Post
                              I want to thank HomeSeer Technologies for their consistent willingness to evolve. They have proven this time and time again. This may just be the horizon for the next evolution!
                              Yes, thank you. Hoping for a bright and secure future with HS

                              Originally posted by Krumpy View Post
                              I personally think that a HTTPS web service capability is the simplified solution of security. Let me engineer the path to my HomeSeer system and allow me to host my HS environment via secure HTTPS web transactions. If there is a cost to purchase a official certificate, then let me make that decision whether the risk versus reward is justified. From my perspective, the cost of a official certificate is well worth the investment to protect my automation resources.

                              Let's close that proper information systems security practices are all of our responsibilities. We must be a team and work together to ensure that our home automation systems are secure.
                              Yes, using HS for many of us is about choice (to not use cloud services, create our own rules and scripts, secure or not secure, etc). If there is no tool for SSL, then we loose that choice. Doesn't HS need to use a secure tunnel between myhs and our systems anyway. . .

                              Thanks again for providing the free myhs option.

                              Comment


                                #45
                                We need native HTTPS support!

                                So, I am trying to work on a way to get a reverse proxy configured with an SSL cert to allow https support on my Emby media player. If it works I will update to the latest version .312 and try getting HS added to this.


                                Sent from my iPhone using Tapatalk

                                Comment

                                Working...
                                X