Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerat
    replied
    We need native HTTPS support!

    Originally posted by lifespeed View Post
    While I second this request, I will point out that HSTOUCH can directly access your HS3 installation today. But not using SSL/TLS, which is perhaps what you meant?


    Fair enough, updated. I do have it enabled on my system, but am a bit unhappy with the AES-128 bit encryption and the fact that I can't pass the connection over port 443 along with my other services I make available on my reverse proxy.


    Sent from my iPhone using Tapatalk
    Last edited by Kerat; December 15, 2017, 12:04 AM.

    Leave a comment:


  • lifespeed
    replied
    Originally posted by Kerat View Post
    Sweet. Would you please design the HSTOUCH replacement such that we can configure direct access to our systems and without the need for a cloud based solution to act as an intermediary service host? I too have a reverse proxy stood up at home, a subdomain I own, and an SSL cert that is publicly trusted. I would love to use for this specific scenario.
    While I second this request, I will point out that HSTOUCH can directly access your HS3 installation today. But not using SSL/TLS, which is perhaps what you meant?

    Leave a comment:


  • Kerat
    replied
    We need native HTTPS support!

    Originally posted by rjh View Post
    We are still working on a totally new mobile app, which already does SSL for the connection.

    Sweet. Would you please design the HSTOUCH replacement such that we can configure direct access to our systems using ssl/TLS encrypted Http connections and without the need for a cloud based solution to act as an intermediary service host? I too have a reverse proxy stood up at home, a subdomain I own, and an SSL cert that is publicly trusted. I would love to use for this specific scenario.



    Sent from my iPhone using Tapatalk
    Last edited by Kerat; December 14, 2017, 11:26 PM.

    Leave a comment:


  • rjh
    replied
    The SSL was implemented using third party code since SSL was not in .NET at the time we added it. It has since been added to .NET so its pretty easy now to create an SSL TCP server and I am doing it already in MyHS. Just need to move the code over. It probably won't take long to implement.

    Originally posted by Krumpy View Post
    I was wrong and you are correct that the legacy HTTPS is still there. Please accept my apologies.

    At some point soon, please do upgrade the HTTPS service to support the newer TLS based communications. It is my understanding that in general the industry has deprecated the legacy SSL based communications in favor of TLS.

    Thank you!

    Leave a comment:


  • Krumpy
    replied
    I agree with what Rich has stated. It would be a lot of work to redo the straight TCP based HSTouch clients to use HTTPS.

    If you are concerned (it makes sense) then I would implement a VPN solution and run HSTouch clients across that. I can help you with this if you're interested.


    Originally posted by waynehead99 View Post
    If you are already working on something, that works for me.

    Basically I have a cert sitting on my router for the HSTouch port. This acts as a proxy for all communication coming into my house to make sure it is secured. Cert doesn't need to sit on the client in this config.

    Thanks Rich.

    Leave a comment:


  • Krumpy
    replied
    I was wrong and you are correct that the legacy HTTPS is still there. Please accept my apologies.

    At some point soon, please do upgrade the HTTPS service to support the newer TLS based communications. It is my understanding that in general the industry has deprecated the legacy SSL based communications in favor of TLS.

    Thank you!

    Originally posted by rjh View Post
    Not on purpose, it should still be in there.

    I do plan on updating it, it uses older protocols.

    MyHS is really the way to go, especially if you want to use voice services like Alexa and Google Home. All the work for those is done on the server.

    Leave a comment:


  • waynehead99
    replied
    Originally posted by rjh View Post
    Not sure I follow what you are trying to do. The HSTouch connection is a simple TCP connection and it uses our own protocol. The user/pass are AES 128 bit encrypted. To use SSL for the connection would be a work item. I don't have plans to do this right now. If you use MYHS, the connection from our server to your PC is AES encrytped, including the data.

    To do SSL from the client, would require work on all the clients.

    We are still working on a totally new mobile app, which already does SSL for the connection.
    If you are already working on something, that works for me.

    Basically I have a cert sitting on my router for the HSTouch port. This acts as a proxy for all communication coming into my house to make sure it is secured. Cert doesn't need to sit on the client in this config.

    Thanks Rich.

    Leave a comment:


  • rjh
    replied
    Not sure I follow what you are trying to do. The HSTouch connection is a simple TCP connection and it uses our own protocol. The user/pass are AES 128 bit encrypted. To use SSL for the connection would be a work item. I don't have plans to do this right now. If you use MYHS, the connection from our server to your PC is AES encrytped, including the data.

    To do SSL from the client, would require work on all the clients.

    We are still working on a totally new mobile app, which already does SSL for the connection.

    Originally posted by waynehead99 View Post
    Rich,
    I opened another thread about a month ago on this topic as well. Are there any plans to have HSTouch support SSL certs? When I try to use one, HSTouch can't talk to HS3 directly anymore.

    Leave a comment:


  • waynehead99
    replied
    Rich,
    I opened another thread about a month ago on this topic as well. Are there any plans to have HSTouch support SSL certs? When I try to use one, HSTouch can't talk to HS3 directly anymore.

    Leave a comment:


  • rjh
    replied
    Not on purpose, it should still be in there.

    I do plan on updating it, it uses older protocols.

    MyHS is really the way to go, especially if you want to use voice services like Alexa and Google Home. All the work for those is done on the server.

    Originally posted by Krumpy View Post
    Looks like HTTPS support has been dropped in the later builds.

    I have to admit that I am very disappointed that we are in 2017 and support for secure communications has been deprecated with the system.

    In my opinion, myHS is not acceptable as it is a hosted cloud solution. It is a unproven technology in terms of being secure until it is pen tested by a outside entity.

    I would caution folks thinking that it is secure. It might be, it might not be. We have already seen occurrences for various odd users showing up in the user accounts table that somehow appeared in the system.

    Leave a comment:


  • Krumpy
    replied
    Looks like HTTPS support has been dropped in the later builds.

    I have to admit that I am very disappointed that we are in 2017 and support for secure communications has been deprecated with the system.

    In my opinion, myHS is not acceptable as it is a hosted cloud solution. It is a unproven technology in terms of being secure until it is pen tested by a outside entity.

    I would caution folks thinking that it is secure. It might be, it might not be. We have already seen occurrences for various odd users showing up in the user accounts table that somehow appeared in the system.

    Leave a comment:


  • Moskus
    replied
    Originally posted by rjh View Post
    Linux would work, but there really isn't any good asp.net web server for Windows other than IIS and that is only supported on PRO versions of Windows.

    We are looking at updating the SSL support on our server.
    I don't think that's right anymore. .NET Core is great for multiplatform development, and ASP.NET Core certainly exists. It's not exactly IIS, but it could be a great solution nonetheless.

    Leave a comment:


  • TechFan
    replied
    Originally posted by rjh View Post
    Linux would work, but there really isn't any good asp.net web server for Windows other than IIS and that is only supported on PRO versions of Windows.

    We are looking at updating the SSL support on our server.
    Glad to hear it is potentially going to get an update! Of course, I use the linux version, so allowing SSL support for the client connections and remote web interface in linux would be great! It seems it should work, but when I tested it long ago I ran into complications with the MONO configuration. Maybe it was just needing to know the right config files to tweak.

    Leave a comment:


  • rjh
    replied
    Linux would work, but there really isn't any good asp.net web server for Windows other than IIS and that is only supported on PRO versions of Windows.

    We are looking at updating the SSL support on our server.

    Originally posted by zimmer62 View Post
    I can't believe we are having this security discussion in 2017..

    When home automation was a little bit less mainstream and security through obscurity was a thing..

    But seriously...

    You are connecting your HOUSE to the internet, this includes:

    Motion sensors
    Door locks
    Lights
    Appliances
    Heating and Cooling
    Cameras
    etc...

    I'm sure you can figure out what evil doers would do with access to any of those things... but let me elaborate.

    Motion sensors (You're not home)
    Door locks (unlock and come in)
    Lights (turn them on and waste your power, or wake you up in the middle of the night to a bright house)
    Appliances (Depends, but maybe turn off something that shouldn't be off when you're on vacation)
    Heating and cooling.... frozen pipes costly damage... overheated pets?
    Cameras... um yeah.

    So seriously you should be protecting this stuff more so than your facebook password.... encrypted network traffic is no good for this kind of stuff... PERIOD

    And as far as a cloud solution, there is the problem if that gets hacked, which.... seems like a good target, you now know 10000's of home automated endpoints. This is pretty serious business tying the real word into the digital world... it's not like a hacked system will just be a digital annoyance... real physical damage could be done.

    So... please in the next version of homeseer just use an external webserver, don't build it in... The benefits of that are tremendous. In fact if the only thing you worried about was an API and you built a SPA styles client rich interface the webpages being served up could run on any web server.

    Leave a comment:


  • zimmer62
    replied
    I can't believe we are having this security discussion in 2017..

    When home automation was a little bit less mainstream and security through obscurity was a thing..

    But seriously...

    You are connecting your HOUSE to the internet, this includes:

    Motion sensors
    Door locks
    Lights
    Appliances
    Heating and Cooling
    Cameras
    etc...

    I'm sure you can figure out what evil doers would do with access to any of those things... but let me elaborate.

    Motion sensors (You're not home)
    Door locks (unlock and come in)
    Lights (turn them on and waste your power, or wake you up in the middle of the night to a bright house)
    Appliances (Depends, but maybe turn off something that shouldn't be off when you're on vacation)
    Heating and cooling.... frozen pipes costly damage... overheated pets?
    Cameras... um yeah.

    So seriously you should be protecting this stuff more so than your facebook password.... encrypted network traffic is no good for this kind of stuff... PERIOD

    And as far as a cloud solution, there is the problem if that gets hacked, which.... seems like a good target, you now know 10000's of home automated endpoints. This is pretty serious business tying the real word into the digital world... it's not like a hacked system will just be a digital annoyance... real physical damage could be done.

    So... please in the next version of homeseer just use an external webserver, don't build it in... The benefits of that are tremendous. In fact if the only thing you worried about was an API and you built a SPA styles client rich interface the webpages being served up could run on any web server.

    Leave a comment:

Working...
X