I see. So, if someone played back the exact stream to the HS3 box later, it wouldn't execute the commands? That would be the concern if the user/pass is actually just hashed. . .

The user/pass is AES 128 bit encrypted, so while you could see the actual commands, not much you can do with them.

So, HSTouch is already protected with encryption on direct connections? And won't allow traffic capture and replay by a third part if captured?

Correct, HSTouch does not use HTTP so standard SSL will not work. To support SSL we would need to rewrite all the clients and the server. But the important stuff is already encrypted with the HSTouch connection so I don't see the need for SSL there.

I will be soon. I installed the beta, but then forgot to enable the feature in the labs area. I assume this is only for accessing the admin interface directly, not for HSTouch direct connections, right?

If you are asking if the latest Beta has new SSL support, then yes, its in there.

Lots of people seemed to have asked for it, but I only know of one person actually trying it.

Wow. Does the latest beta do this?

Thank you - I look forward to trying this out!

Thank you for improving MYHS SSL security

I wanted to acknowledge the improvement in SSL Security of MYHS. I used the Development version of SSL Labs' SSL tester which includes the check for the new ROBOT vulnerabilities (https://robotattack.org and your service passed the SSL checks with flying colors.

The only final SSL-related suggestion is that you may wish to disable TLS_RSA_WITH_3DES_EDE_CBC_SHA because it is known to be weak.

Me too. Sorry

- Robert

Yes, you are right. I apologize to the community at large for my temper tantrum.

Now back to your regularly scheduled program.

Gentlemen,

This thread is about security. Would it be feasible to refrain discussions other than security related items? Discussions regarding the new interface should be in a new thread... Please?

I am a CISSP as well and want to give kudos to Rich for implementing a change that increases potential security. The reason I say potential is because we have to identify what ciphers are being used and test it. Like JJSON stated, AES128 is not a strong form of security. The banking industry would not accept it. AES256 or equivalent, or greater would be preferred.

It sound like some progress has been made and now we need to test the latest to ensure it works. Then we need to provide clear direction in terms of our security requirements so that Rich can research how to implement. We also have to accept the cost associated with this.

I can't agree with you more. I use HSTouch with custom projects and never use the default projects. I enjoy creating screens. The customization of HST has gotten my wife off my back too. It's been a long time since she has asked how much I have spent on this stuff. That's because I listen to her gripes and tweak the HST interface / Events.

However, the bugs in HST really add stress. When I get grief for something now, it's a bug's fault. Here are 2 that I found recently that caused my Windows/Android clients to either crash, become unresponsive or take forever to load screens. I know this is not the place to post them but since bugs are ignored anyway, it doesn't matter.
bug1: Some paths within the project xml file include the drive letter. For example, instead of the path for a button being "\Default\Buttons\pad-yellow-norm.png" it appears in the file as "C:\Users\USER ACCOUNT\Documents\HSTouch\Skins\Default\Buttons\pad-yellow-norm.png".
bug2: Here's the case - I had buttons in HST that called events. These particular events ran exe files on the Hometroller. Down the road, I deleted those events. HST substituted the event call for the actual exe file. If I pressed any of those buttons, HST would crash.

I discovered both of these bugs by just scrolling through a project's xml file looking for anything that didn't look right.

So I recommend that everyone search their entire project directory (using a program like Notepad++) for any mention of "C:\" or "D:\" (or any other possible drive letter) then do a global search and replace, eliminating everything before "\Default" as I referenced above. Then search for "exe" and delete that call. Make a copy of your project first (just in case you mess up).

I had an Android client that crashed every few days and after fixing the xml file, has run for a couple of weeks now crash free. I have a few Windows clients that would take minutes or hours to load screens that load instantly now.

- Robert

Please don't get me wrong. I use HSTouch with custom screens that I really like and I'm generally an avid supporter of HS3 and HSTouch in general as should be evidenced by my forum activity. That said, I am willing to see the good with the bad. I'm extremely pleased to hear of the success you've had this year but I imagine that this has a lot to do with the great hardware you've brought to market recently. I want nothing more than for you to succeed and when Bill Gates dies and leaves all of his money to me I plan in investing a few hundred million in HST. It comes up quite a bit here that HS3 is an automation product as opposed to home control. The weak link with HS3 is the control aspect. Every other home automation system with maybe the exception of Crestron is almost entirely focused on the interface. HSTouch has the possibility of being the be all and end all of home control, but there are just too many issues with it.