Thanks for this as well... I didn't even know about a wild card certificate.
I use a certificate for my e-mail server currently - though, it's specific to my email.
So maybe a wild card certificate would help for both HS and my e-mail server since I can specify sub-domains...

Robert

Excellent work!


How is the web server holding up? Previously when enabling SSL the web server would just stop working after a few hours.

Homeseer .398 with wildcard certificate from external Certificate Authority

From Krumpy talking about the HomeSeer Web Interface with SSL support enabled: "Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)?"

Absolutely!

Finally got to the weekend, have the time, and happen to have a wildcard certificate from AlphaSSL for my domain, bigfastnet.com. The certificate is for *.bigfastnet.com and is a SHA-256 certificate. It chains thru AlphaSSL up to the GlobalSign root. (See attached screen capture of the certificate info.)

Setup:

• I have DNS for bigfastnet.com running internally to my home network - homeseer.bigfastnet.com is properly defined in DNS.
• HS3 Pro installed and running on Windows 10.

Changes:

• Went into C:\Program Files (x86)\HomeSeer HS3 and replaced the self-signed certificate included with the .398 beta with my *.bigfastnet.com certificate.
• In HS3 Tools -> Setup -> Labs, put in the SSL Server Certificate Password, checked the Enable SSL Secure Server.
• Restarted HS3 Pro to "reset all the marbles."

Results:

• https://homeseer.bigfastnet.com does exactly what you would expect. Every page I hit is encrypted. Not seeing any operational issues.
• Both Safari and Chrome see Homeseer properly secured.
• Been working on Homeseer for several hours and the SSL support appears to "just work".

Other:
I purchased my wildcard certificate from SSL2BUY.com because they were inexpensive and quick.

• $121 for three years - working well for me.
• https://www.ssl2buy.com/alphassl-wildcard.php

If you are looking for certificates for your company, Digicert.com has done well by me over the years. Recommended!


I'll keep using it and report back any abnormalities.

I would be first in line to see and use this.

Thanks

I understand the concerns, hence the reason I went and added SSL.

I would like support for this to be on the forums, maybe someone can create a "HowTo" so users who want complete control of their connections can get things working. It would have to layout how to set up port forwarding and the creation of SSL certs.

Imagine if we added "official" support for this? Supporting it through our tech support would be a nightmare. We would have to walk users through SSL certificate setup, port forwarding, and many other networking issues. That is why I don't to make this a feature that we help users with in regards to setting it up. MyHS is difficult enough. Some users have routers and PC anti virus that blocks outgoing ports and we have walk users though these types of issues when they don't know what a port is. I think you can see the problem.

I think it is great that this option exists. I don't know of many HA systems that allow this, most are all cloud based.

I am not sure that I completely agree with you.

I do agree with you that reading and understanding secure web technologies best practices and how to configure them within the Windows registry is outside of the scope of the novice user. It's am ever evolving process where even the experts sometimes conflict each other in terms of opinions. Yes, they are opinions. I am certainly not a definitive expert.

But, the challenge I have with recommending myHS as a secure method of getting to someone's remote HS Web server is that I have been burned by the issue whereas all of a sudden users showed up in my HS user account area that I did not create myself. Second, myHS is a cloud technology that utilizes a Microsoft cloud service and your infrastructure acts as a man in the middle "tunneling" technology. No penetration testing has been performed, or at least published thus far, and that there are just a lot of things that could go wrong if the "right" wrong thing occurred.

I would call myHS a novice user's best choice if they want to accept the associating risks by using such a technology. Not sure if they fully understand the associating risks. For some there is little to no risks, to someone where HomeSeer is Internet accessible and their livelihood is at stake, well??? Not sure that I would trust all of the cloud technologies involved in myHS if my HS system controlled sensitive technologies at my house.

Having said that, the challenge is that HomeSeer Technologies does not control this path end to end. If you did, then I would have less concerns. That is just the issue, HomeSeer Technologies does not control what happens end to end in the Internet connected data stream! So, my concerns are in protecting my interests; not only in terms of my house (and so on), but also in terms of what could happen to HomeSeer Technologies as a company if the "right" wrong thing happened in terms of a breach with myHS/HomeSeer, etc.

Security is not cheap. You get what you put in. Even large organizations which employ many security staff have been breached. Target, Home Depot, Equifax, etc.

For those folks that are willing to accept the risks, myHS is a good solution. For folks that want to be in control of engineering their solution, the new HTTPS web service is their best solution. I think that we can write a white paper for even intermediate users to utilize the new security functionality that you have added in the latest beta build.

The key is that users now have options based on the risk level they want to accept!

What you have done in the past week is completely awesome! And very appreciated! I am very impressed as you are working your tail off with this beta. You have shown that you are very agile and can handle several projects/efforts at once to satisfy your user community. This is why I have been a loyal user for the past 19 or 20 years. I enjoy this community, and love that several of us are working with you in attempts of improving the security structure of the product.

You mean HSTouch applications? If so, then Rich I believe is saying that he is not intending on applying the solution that has been discussed within this thread to HSTouch as it is not using web technologies in terms of the data stream. To change this architecture would require a major change to all of the HSTouch communication technologies.

He has stated that there is another user interface coming which will utilize the same communication stream as discussed in this thread. But that is somewhat outside of the purpose of this thread as it has not been released yet.

Just trying to keep things somewhat organized.

Rich,

When the new version of HSTouch becomes available, should we expect that our current applications will work without extensive changes?

You can see why this is not really something for the average user to deal with, hence why MyHS is a better solution for the majority of users. But its in there for the more technical to tackle if they want.

HSTouch already has a security mechanism for the connection, so I don't see a big need to re-write that. It would be a lot of work to rewrite the connection protocols. Nothing is ruled out though. We intend to keep supporting HSTouch and adding to it.

Excellent point. I have been down this rabbit hole before. There are some good best practices mentioned on the following site:

https://github.com/ssllabs/research/...Best-Practices

The Windows reg keys are not that hidden if I recall. Folks will need to either download the aforementioned tool or research how to enable/disable the protocols in the SCHANNEL subsystem. To Rich's point, this is the same with IIS as it is with HomeSeer. I guess that is the nice thing about Windows as they both use the same technologies....

HKey_Local_Machine\System\CurrentControlSet\Control\Security Providers \SCHANNEL\Protocols

Rich,

What will be the reason for not implementing SSL with HSTouch clients? 1) the extensive amount of work or 2) the fact that other options are available to resolve the security issues?

This also bring me to the fact that you mentioned that HSTouch will be supported in the future. What type of support could we expect?

1) resolving security fixes
2) bug fixes
3) addition of functionality

And how long do you plan support after the mobile app is available.

---
John

On Windows, the SSL protocols are set by registry entries, and this tool is an easy way to set them up:

https://www.nartac.com/Products/IISCrypto

So if there are some insecure protocols enabled, you can use the tool to lock it down as you like.

Not sure yet how this is controlled on Linux.

Looking at the thumbprint of your new certificate that you uploaded for the linux testers is SHA256 with 2048 key length.. It also works with Windows - you probably already knew that... Good. Thanks!!

After the holidays I might build a test system and expose it to SSL Labs for fun... BUT, my hunch is that it will find something that we didn't know about... It is worth doing it tough.

The new app uses our JSON interface so it would go through the same SSL connection as this one. You can connect to your home through MyHS, or simply enter the IP address of your home system and connect directly.