Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • rjh
    replied
    Yes. We should have betas posted for all systems this weekend so you can try the Linux version.

    Originally posted by Kerat View Post
    That is outstanding, will the HTTPS feature set be supported in the Linux flavor of HS3?


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • S-F
    replied
    A few thoughts about that:

    HSTouch has some serious shortcomings that would need to be addressed for it to remain competitive. When I want to turn a light off and I'm in bed, due to the way I keep my phone plugged in when I sleep, I have to do it all upside down. Not cool. Just an example. There are more. A LOT more. And I can give examples where the competition beats the snot out of HSTouch. Right out the door. Little configuration or setup required.

    Fix HSTouch. It's busticated on every platform and all around. It's the worst performing product HST has by a margin that boggles the mind.

    I know this will be ignored like every other comment about how awful the HS UI is.
    I'm sorry I wasted my few minutes typing this out.


    The second is if the new interface is anything like the new HSTouch stock........ Nope.

    My enthusiasm for the new product just dropped by about 95%. I was hoping for an alternative to HSTouch but with similar functionality.


    You folks need to wake up and realize that you're riding a sinking ship. You have the automation and compatibility angle covered but that doesn't mean anything if everyone buys a Google or Amazon or whoever device that can turn a light on and off. You are loosing market percentage by the second.

    My hopes are dashed.

    Leave a comment:


  • Kerat
    replied
    Originally posted by rjh View Post
    Some notes about security.



    We have made some server changes. When I test the myhs server with SSL Labs it gets an A.



    The HSTouch protocol encrypts the user/pass using AES 128 bit encryption so you will not see that on the wire.



    If you connect to the HS server directly using non SSL, it passes the user/pass using basic authentication base64 encoded, so there is no encryption there. When using SSL, everything is encrypted.



    I went ahead and updated HS3 to use the new SSL support included with .NET. So go ahead and give it a try. It is in build 398 and later. Here is the first build. You can always get the latest from the HS3 beta section. I am posting it here first for feedback. Now is your chance!



    http://homeseer.com/updates3/SetupHS3_3_0_0_398.msi



    Note that the settings for this have been moved to the "Labs" tab in setup until it gets tested.



    I removed the setting for the certificate file. The file is "server.pfx" and is in the HS root folder. There is one there already but you can replace as needed.


    That is outstanding, will the HTTPS feature set be supported in the Linux flavor of HS3?


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • concordseer
    replied
    Originally posted by rjh View Post
    For custom built apps, you can use HSTouch, that will continue to be supported.

    The new app is not customizable, other than a custom dashboard screen.

    The goal here is an easier to use app that a new user can use to control their system, including creating events, all from their phone. New users expect this today.

    It displays devices in a new format, rather than all the separate devices you now see in HSTouch.

    This is not going to be a "power user" app.

    Time frame is hopefully by spring we will have something to beta.
    Great news Rich. Your product will have greater appeal to the man or woman in the street if it's plug and go. I for one just want a product that does the job. I'm not interested In "eye candy". That's where a lot of products have failed in the past.

    For those looking for "bleeding edge" solutions there's no shortage of alternatives out there. I'd rather contribute to development of a product than knock it.

    Leave a comment:


  • rxatwell
    replied
    Originally posted by rjh View Post
    For custom built apps, you can use HSTouch, that will continue to be supported.

    The new app is not customizable, other than a custom dashboard screen.

    The goal here is an easier to use app that a new user can use to control their system, including creating events, all from their phone. New users expect this today.

    It displays devices in a new format, rather than all the separate devices you now see in HSTouch.

    This is not going to be a "power user" app.

    Time frame is hopefully by spring we will have something to beta.
    I can appreciate that and am glad to hear that HSTouch is still going to be supported. Thanks for the update!

    Leave a comment:


  • rjh
    replied
    For custom built apps, you can use HSTouch, that will continue to be supported.

    The new app is not customizable, other than a custom dashboard screen.

    The goal here is an easier to use app that a new user can use to control their system, including creating events, all from their phone. New users expect this today.

    It displays devices in a new format, rather than all the separate devices you now see in HSTouch.

    This is not going to be a "power user" app.

    Time frame is hopefully by spring we will have something to beta.

    Originally posted by rxatwell View Post
    This is great news. Without giving too much away, can you offer any sort of release date window? And will it be a custom builder format like HSTouch?

    Leave a comment:


  • rxatwell
    replied
    Originally posted by rjh View Post
    We are still working on a totally new mobile app, which already does SSL for the connection.
    This is great news. Without giving too much away, can you offer any sort of release date window? And will it be a custom builder format like HSTouch?

    Leave a comment:


  • rjh
    replied
    Some notes about security.

    We have made some server changes. When I test the myhs server with SSL Labs it gets an A.

    The HSTouch protocol encrypts the user/pass using AES 128 bit encryption so you will not see that on the wire.

    If you connect to the HS server directly using non SSL, it passes the user/pass using basic authentication base64 encoded, so there is no encryption there. When using SSL, everything is encrypted.

    I went ahead and updated HS3 to use the new SSL support included with .NET. So go ahead and give it a try. It is in build 398 and later. Here is the first build. You can always get the latest from the HS3 beta section. I am posting it here first for feedback. Now is your chance!

    http://homeseer.com/updates3/SetupHS3_3_0_0_398.msi

    Note that the settings for this have been moved to the "Labs" tab in setup until it gets tested.

    I removed the setting for the certificate file. The file is "server.pfx" and is in the HS root folder. There is one there already but you can replace as needed.

    Leave a comment:


  • lifespeed
    replied
    built-in security without the cloud is a must

    I largely agree with the request for security in a home automation product controlling door locks, alarms and other critical systems. The VPN suggestions I see as only a temporary workaround. VPN tunnels break when the remote device connection changes, and the WAF is very poor. They just aren't an acceptable solution for mobile access. A third-party "cloud" should not be a prerequisite for security. This was billed as a self-contained system, which is one of the reasons some of us bought into the the HS3 ecosystem. There is just no reason to relay through somebody else's server to access our own systems.

    A lot of good work has gone into HS3 and HSTOUCH. I think we can be optimistic for what the future holds. For those "advanced" users wanting secure remote access, it is not unreasonable to require the support of a web server in the PRO versions of windows. Personally, I always use Windows Pro for my server PC. Linux of course has any number of well-supported web servers. I don't think this needs to rest on the shoulders of HS3 developers to re-invent the wheel to save users a few bucks on an appropriate OS.

    Leave a comment:


  • Timon
    replied
    Originally posted by Krumpy View Post
    I agree with what Rich has stated. It would be a lot of work to redo the straight TCP based HSTouch clients to use HTTPS.

    If you are concerned (it makes sense) then I would implement a VPN solution and run HSTouch clients across that. I can help you with this if you're interested.
    I believe that people are bring out very valid points that HS needs to address.
    • MyHS security: HS must have a third party check the site to see that it is truly secure. This should be done on a regular basic with that period being not less that one month and whenever any major changes are made. The results of this needs to be made public via industry acceptable means. This usually means using the testing companies approval seal. HS, you are the gateway to our homes and we deserve nothing less.
    • Direct access via the web. I understand that making HTTPS direct access secure is an issue that's hard to do. It means that you either have to provide a full https front end to HS3 or depend on a full web server to provide that service. This also means that the user is now responsible to keep the HS3 secure and there is no way to test for that. For now I believe the best way is to use VPN for those that want direct access. Direct remote access to me is more of an advanced user feature so they should have no problem installing a VPN gateway.
    • Mobile apps: As HS has said they are rewriting the mobile app however they have not said if this new mobile app will have a secure direct access feature. If we can do direct access using the mobile app then I'm good with that however the mobile SSL interface to HS3 should be probed by a third party for any weakness.

    Leave a comment:


  • waynehead99
    replied

    Leave a comment:


  • zimmer62
    replied
    Originally posted by concordseer View Post
    I generally research a product thoroughly and ensure that it satisfies my needs before I purchase it. If I find that it falls short of my expectations I move on and purchase an alternative. What I generally do not do is make a purchase in the hope that at some time in the future it will meet my demands or demand that it should.
    Generally I do too...

    They used to have SSL support... your argument falls short.

    Generally I expect a software product to continue to support existing features...

    Leave a comment:


  • zimmer62
    replied
    I've made my point before, and couldn't agree more with you (jjason)

    I think your best option right now if you're fairly technical is to setup a VPN that you can connect to from your phone which allows you secure access to your internal network.

    I was pretty worried about this stuff when HSTouch was released and I saw my password going over the network... A big old nope from me... no way am I opening that port.

    The damage that can done by hacker is no longer digital damage.

    Leave a comment:


  • concordseer
    replied
    I generally research a product thoroughly and ensure that it satisfies my needs before I purchase it. If I find that it falls short of my expectations I move on and purchase an alternative. What I generally do not do is make a purchase in the hope that at some time in the future it will meet my demands or demand that it should.

    HA by nature is still a very experimental technology concept as it encompasses so many different technological elements and gathers them all under one umbrella. Some of those elements work well together and some do not. For example, we cannot expect to buy a switch, a timer or a valve in our local store and expect it to work with Homeseer out of the box without fully researching it.

    While Homeseer does try to be all things to all people it will on some occasions fall short of these expectations. I have tried quite a number of the alternatives, Vera being one example and I can assure you that Homesser is head and shoulders above them. You could of course get your hands dirty and fire up the likes of openHAB and Domoticz, an open solution where you can experiment to your hearts content while contributing solutions at the same time. This could well be the way to go for the "experts" out there.

    I for one prefer the Homeseer approach where the developers supply the solution and encourage contributions and suggestions from its users. Not all suggestions will be taken on board for various reasons be they for technical or asthetical reeasons but with community assistance solutions and workarounds can be found. Demanding that something should be implemented is not the way forward here.

    Leave a comment:


  • jjason
    replied
    HomeSeer security is poor - and getting worse

    20171217 Updates BELOW in GREEN.

    Originally posted by Krumpy View Post
    Looks like HTTPS support has been dropped in the later builds.

    I have to admit that I am very disappointed that we are in 2017 and support for secure communications has been deprecated with the system.

    In my opinion, myHS is not acceptable as it is a hosted cloud solution. It is a unproven technology in terms of being secure until it is pen tested by a outside entity.

    I would caution folks thinking that it is secure. It might be, it might not be. We have already seen occurrences for various odd users showing up in the user accounts table that somehow appeared in the system.
    I have to agree with Krumpy; I'm having a very significant cognitive dissonance problem with HomeSeer's approach to security. Customers (users) are controlling ever more important sensors and actuators while HomeSeer is actively removing security functionality out of the product.

    1. Customers are controlling important things like water valves, door locks, alarm systems, thermostats, etc. These are real-world items with potentially expensive and painful real-world consequences if hacked.

    2. HomeSeer has completely lost native SSL/TLS security on its management interface in the latest builds. It simply doesn't work. The login screen for the management interface on the HTTP port 80 interface says, and I quote: "Log in to <machinename>:80 Your password will be send unencrypted." I checked with WireShark, and yes - the credentials are being sent unencrypted. BETA build with SSL capability now available. Cool!

    2a. I want to clarify here that I would NEVER recommend running HomeSeer directly connected to the Internet, with or without SSL, to anyone. In fact, I would recommend running exposing nothing except a well-known secure VPN exposed to the Internet. Consumer-grade software and hardware are very likely to be quickly hacked and taken. I have enough gizmos, gadgets, and guests, on my home network that I want to take reasonable due-diligence precautions to protect myself. I.E. Regular patching, antivirus everywhere, encrypted connections on all key services, etc.

    3. HomeSeer doesn't run as a service. I have to leave a system always logged as a user. Its only protection? A screensaver. There is no technical reason that HomeSeer on Windows cannot run as a service. "Its Hard" is not an excuse.

    4. Could someone please explain why the only "secure" way to access HomeSeer on my home network, from a phone on my home network, requires the Internet and a Cloud Service both be involved? I'm managing a computer less than 50 feet away on the same network! Its a HACK that adds several more failure points as well as significant unnecessary complexity for local access. Giving credit where due - MyHS is useful for remote access without a VPN. BETA build with SSL capability now available. Cool!

    5. Just how secure is MyHS anyway? What testing has been done by third parties to verify the the MyHS service is actually secure? Can we see the documentation from the testing? I did a quick check, and the service still has weak/insecure ciphers enabled on https://myhs.homeseer.com
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
    FIXED! TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE
    FIXED! TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE

    The Bottom Line: As a CISSP-ISSAP/ISSMP security professional and network architect/designer, I give Homeseer 2 out of 10 for security. Why 2 instead of zero? It has passwords and MyHS has SSL/TLS capability. As a paying customer, I'm not just unimpressed - I'm upset. I'm having to do special isolation and firewalled subnets on my home network to compensate for the poor security of the product. Security is a competitive differentiator. Get this done before your competition does.
    Last edited by jjason; December 16, 2017, 03:42 PM. Reason: Including updates

    Leave a comment:

Working...
X