Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • rjh
    replied
    The user/pass is AES 128 bit encrypted, so while you could see the actual commands, not much you can do with them.

    Originally posted by TechFan View Post
    So, HSTouch is already protected with encryption on direct connections? And won't allow traffic capture and replay by a third part if captured?

    Leave a comment:


  • TechFan
    replied
    Originally posted by rjh View Post
    Correct, HSTouch does not use HTTP so standard SSL will not work. To support SSL we would need to rewrite all the clients and the server. But the important stuff is already encrypted with the HSTouch connection so I don't see the need for SSL there.
    So, HSTouch is already protected with encryption on direct connections? And won't allow traffic capture and replay by a third part if captured?

    Leave a comment:


  • rjh
    replied
    Correct, HSTouch does not use HTTP so standard SSL will not work. To support SSL we would need to rewrite all the clients and the server. But the important stuff is already encrypted with the HSTouch connection so I don't see the need for SSL there.

    Originally posted by TechFan View Post
    I will be soon. I installed the beta, but then forgot to enable the feature in the labs area. I assume this is only for accessing the admin interface directly, not for HSTouch direct connections, right?

    Leave a comment:


  • TechFan
    replied
    Originally posted by rjh View Post
    If you are asking if the latest Beta has new SSL support, then yes, its in there.

    Lots of people seemed to have asked for it, but I only know of one person actually trying it.
    I will be soon. I installed the beta, but then forgot to enable the feature in the labs area. I assume this is only for accessing the admin interface directly, not for HSTouch direct connections, right?

    Leave a comment:


  • rjh
    replied
    If you are asking if the latest Beta has new SSL support, then yes, its in there.

    Lots of people seemed to have asked for it, but I only know of one person actually trying it.

    Originally posted by Moskus View Post
    Wow. Does the latest beta do this?

    Leave a comment:


  • Moskus
    replied
    Originally posted by rjh View Post
    The SSL was implemented using third party code since SSL was not in .NET at the time we added it. It has since been added to .NET so its pretty easy now to create an SSL TCP server and I am doing it already in MyHS. Just need to move the code over. It probably won't take long to implement.
    Wow. Does the latest beta do this?

    Leave a comment:


  • jjason
    replied
    Thank you - I look forward to trying this out!

    Leave a comment:


  • jjason
    replied
    Thank you for improving MYHS SSL security

    I wanted to acknowledge the improvement in SSL Security of MYHS. I used the Development version of SSL Labs' SSL tester which includes the check for the new ROBOT vulnerabilities (https://robotattack.org and your service passed the SSL checks with flying colors.

    The only final SSL-related suggestion is that you may wish to disable TLS_RSA_WITH_3DES_EDE_CBC_SHA because it is known to be weak.
    Attached Files

    Leave a comment:


  • RJS
    replied
    Me too. Sorry

    - Robert

    Leave a comment:


  • S-F
    replied
    Originally posted by Krumpy View Post
    Gentlemen,

    This thread is about security. Would it be feasible to refrain discussions other than security related items?

    Yes, you are right. I apologize to the community at large for my temper tantrum.

    Now back to your regularly scheduled program.

    Leave a comment:


  • Krumpy
    replied
    Gentlemen,

    This thread is about security. Would it be feasible to refrain discussions other than security related items? Discussions regarding the new interface should be in a new thread... Please?

    I am a CISSP as well and want to give kudos to Rich for implementing a change that increases potential security. The reason I say potential is because we have to identify what ciphers are being used and test it. Like JJSON stated, AES128 is not a strong form of security. The banking industry would not accept it. AES256 or equivalent, or greater would be preferred.

    It sound like some progress has been made and now we need to test the latest to ensure it works. Then we need to provide clear direction in terms of our security requirements so that Rich can research how to implement. We also have to accept the cost associated with this.

    Leave a comment:


  • RJS
    replied
    Originally posted by S-F View Post
    ...I use HSTouch with custom screens that I really like and I'm generally an avid supporter of HS3 and HSTouch in general as should be evidenced by my forum activity... HSTouch has the possibility of being the be all and end all of home control, but there are just too many issues with it.
    I can't agree with you more. I use HSTouch with custom projects and never use the default projects. I enjoy creating screens. The customization of HST has gotten my wife off my back too. It's been a long time since she has asked how much I have spent on this stuff. That's because I listen to her gripes and tweak the HST interface / Events.

    However, the bugs in HST really add stress. When I get grief for something now, it's a bug's fault. Here are 2 that I found recently that caused my Windows/Android clients to either crash, become unresponsive or take forever to load screens. I know this is not the place to post them but since bugs are ignored anyway, it doesn't matter.
    bug1: Some paths within the project xml file include the drive letter. For example, instead of the path for a button being "\Default\Buttons\pad-yellow-norm.png" it appears in the file as "C:\Users\USER ACCOUNT\Documents\HSTouch\Skins\Default\Buttons\pad-yellow-norm.png".
    bug2: Here's the case - I had buttons in HST that called events. These particular events ran exe files on the Hometroller. Down the road, I deleted those events. HST substituted the event call for the actual exe file. If I pressed any of those buttons, HST would crash.

    I discovered both of these bugs by just scrolling through a project's xml file looking for anything that didn't look right.

    So I recommend that everyone search their entire project directory (using a program like Notepad++) for any mention of "C:\" or "D:\" (or any other possible drive letter) then do a global search and replace, eliminating everything before "\Default" as I referenced above. Then search for "exe" and delete that call. Make a copy of your project first (just in case you mess up).

    I had an Android client that crashed every few days and after fixing the xml file, has run for a couple of weeks now crash free. I have a few Windows clients that would take minutes or hours to load screens that load instantly now.

    - Robert

    Leave a comment:


  • waynehead99
    replied
    Last edited by waynehead99; December 16, 2017, 09:51 AM.

    Leave a comment:


  • S-F
    replied
    Please don't get me wrong. I use HSTouch with custom screens that I really like and I'm generally an avid supporter of HS3 and HSTouch in general as should be evidenced by my forum activity. That said, I am willing to see the good with the bad. I'm extremely pleased to hear of the success you've had this year but I imagine that this has a lot to do with the great hardware you've brought to market recently. I want nothing more than for you to succeed and when Bill Gates dies and leaves all of his money to me I plan in investing a few hundred million in HST. It comes up quite a bit here that HS3 is an automation product as opposed to home control. The weak link with HS3 is the control aspect. Every other home automation system with maybe the exception of Crestron is almost entirely focused on the interface. HSTouch has the possibility of being the be all and end all of home control, but there are just too many issues with it.

    Leave a comment:


  • rjh
    replied
    You are correct about HSTouch, however, it really does not compete with other systems. It was intended to be for dealers, for creating custom control screens. We have a ton of users who love it and it works great for them. I use it on all of my screens in my home, and it works perfect for me. The default project was our best attempt at "universal" app. But that falls short as it was never designed to work like that. As a custom app, there is NO competition. Nothing that I know of anyway, unless you consider a system like Crestron.

    The new app looks totally different. The UI works as you would expect on the platform its on. It has slide in menus, material graphics, etc. It does not look anything like HSTouch.

    As far as "sinking", HomeSeer has just had its best sales year ever, by far. I am sorry we are not living up to your expectations, but we have a lot of cool stuff coming out in 2018.

    Originally posted by S-F View Post
    A few thoughts about that:

    HSTouch has some serious shortcomings that would need to be addressed for it to remain competitive. When I want to turn a light off and I'm in bed, due to the way I keep my phone plugged in when I sleep, I have to do it all upside down. Not cool. Just an example. There are more. A LOT more. And I can give examples where the competition beats the snot out of HSTouch. Right out the door. Little configuration or setup required.

    Fix HSTouch. It's busticated on every platform and all around. It's the worst performing product HST has by a margin that boggles the mind.

    I know this will be ignored like every other comment about how awful the HS UI is.
    I'm sorry I wasted my few minutes typing this out.


    The second is if the new interface is anything like the new HSTouch stock........ Nope.

    My enthusiasm for the new product just dropped by about 95%. I was hoping for an alternative to HSTouch but with similar functionality.


    You folks need to wake up and realize that you're riding a sinking ship. You have the automation and compatibility angle covered but that doesn't mean anything if everyone buys a Google or Amazon or whoever device that can turn a light on and off. You are loosing market percentage by the second.

    My hopes are dashed.

    Leave a comment:

Working...
X