Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Last edited by waynehead99; December 16, 2017, 09:51 AM.

    Comment


      Originally posted by S-F View Post
      ...I use HSTouch with custom screens that I really like and I'm generally an avid supporter of HS3 and HSTouch in general as should be evidenced by my forum activity... HSTouch has the possibility of being the be all and end all of home control, but there are just too many issues with it.
      I can't agree with you more. I use HSTouch with custom projects and never use the default projects. I enjoy creating screens. The customization of HST has gotten my wife off my back too. It's been a long time since she has asked how much I have spent on this stuff. That's because I listen to her gripes and tweak the HST interface / Events.

      However, the bugs in HST really add stress. When I get grief for something now, it's a bug's fault. Here are 2 that I found recently that caused my Windows/Android clients to either crash, become unresponsive or take forever to load screens. I know this is not the place to post them but since bugs are ignored anyway, it doesn't matter.
      bug1: Some paths within the project xml file include the drive letter. For example, instead of the path for a button being "\Default\Buttons\pad-yellow-norm.png" it appears in the file as "C:\Users\USER ACCOUNT\Documents\HSTouch\Skins\Default\Buttons\pad-yellow-norm.png".
      bug2: Here's the case - I had buttons in HST that called events. These particular events ran exe files on the Hometroller. Down the road, I deleted those events. HST substituted the event call for the actual exe file. If I pressed any of those buttons, HST would crash.

      I discovered both of these bugs by just scrolling through a project's xml file looking for anything that didn't look right.

      So I recommend that everyone search their entire project directory (using a program like Notepad++) for any mention of "C:\" or "D:\" (or any other possible drive letter) then do a global search and replace, eliminating everything before "\Default" as I referenced above. Then search for "exe" and delete that call. Make a copy of your project first (just in case you mess up).

      I had an Android client that crashed every few days and after fixing the xml file, has run for a couple of weeks now crash free. I have a few Windows clients that would take minutes or hours to load screens that load instantly now.

      - Robert

      Comment


        Gentlemen,

        This thread is about security. Would it be feasible to refrain discussions other than security related items? Discussions regarding the new interface should be in a new thread... Please?

        I am a CISSP as well and want to give kudos to Rich for implementing a change that increases potential security. The reason I say potential is because we have to identify what ciphers are being used and test it. Like JJSON stated, AES128 is not a strong form of security. The banking industry would not accept it. AES256 or equivalent, or greater would be preferred.

        It sound like some progress has been made and now we need to test the latest to ensure it works. Then we need to provide clear direction in terms of our security requirements so that Rich can research how to implement. We also have to accept the cost associated with this.
        HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

        Comment


          Originally posted by Krumpy View Post
          Gentlemen,

          This thread is about security. Would it be feasible to refrain discussions other than security related items?

          Yes, you are right. I apologize to the community at large for my temper tantrum.

          Now back to your regularly scheduled program.
          Originally posted by rprade
          There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

          Comment


            Me too. Sorry

            - Robert

            Comment


              Thank you for improving MYHS SSL security

              I wanted to acknowledge the improvement in SSL Security of MYHS. I used the Development version of SSL Labs' SSL tester which includes the check for the new ROBOT vulnerabilities (https://robotattack.org and your service passed the SSL checks with flying colors.

              The only final SSL-related suggestion is that you may wish to disable TLS_RSA_WITH_3DES_EDE_CBC_SHA because it is known to be weak.
              Attached Files

              Comment


                Thank you - I look forward to trying this out!

                Comment


                  Originally posted by rjh View Post
                  The SSL was implemented using third party code since SSL was not in .NET at the time we added it. It has since been added to .NET so its pretty easy now to create an SSL TCP server and I am doing it already in MyHS. Just need to move the code over. It probably won't take long to implement.
                  Wow. Does the latest beta do this?
                  HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                  Running on Windows 10 (64) virtualized
                  on ESXi (Fujitsu Primergy TX150 S8).
                  WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                  Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                  Comment


                    If you are asking if the latest Beta has new SSL support, then yes, its in there.

                    Lots of people seemed to have asked for it, but I only know of one person actually trying it.

                    Originally posted by Moskus View Post
                    Wow. Does the latest beta do this?
                    website | buy now | support | youtube

                    Comment


                      Originally posted by rjh View Post
                      If you are asking if the latest Beta has new SSL support, then yes, its in there.

                      Lots of people seemed to have asked for it, but I only know of one person actually trying it.
                      I will be soon. I installed the beta, but then forgot to enable the feature in the labs area. I assume this is only for accessing the admin interface directly, not for HSTouch direct connections, right?

                      Comment


                        Correct, HSTouch does not use HTTP so standard SSL will not work. To support SSL we would need to rewrite all the clients and the server. But the important stuff is already encrypted with the HSTouch connection so I don't see the need for SSL there.

                        Originally posted by TechFan View Post
                        I will be soon. I installed the beta, but then forgot to enable the feature in the labs area. I assume this is only for accessing the admin interface directly, not for HSTouch direct connections, right?
                        website | buy now | support | youtube

                        Comment


                          Originally posted by rjh View Post
                          Correct, HSTouch does not use HTTP so standard SSL will not work. To support SSL we would need to rewrite all the clients and the server. But the important stuff is already encrypted with the HSTouch connection so I don't see the need for SSL there.
                          So, HSTouch is already protected with encryption on direct connections? And won't allow traffic capture and replay by a third part if captured?

                          Comment


                            The user/pass is AES 128 bit encrypted, so while you could see the actual commands, not much you can do with them.

                            Originally posted by TechFan View Post
                            So, HSTouch is already protected with encryption on direct connections? And won't allow traffic capture and replay by a third part if captured?
                            website | buy now | support | youtube

                            Comment


                              Originally posted by rjh View Post
                              The user/pass is AES 128 bit encrypted, so while you could see the actual commands, not much you can do with them.
                              I see. So, if someone played back the exact stream to the HS3 box later, it wouldn't execute the commands? That would be the concern if the user/pass is actually just hashed. . .

                              Comment


                                Originally posted by rjh View Post
                                Lots of people seemed to have asked for it, but I only know of one person actually trying it.
                                I apologize, but my house needs to be running. I'm not risking beta versions at the moment!

                                I'll fire up the Zee2 and ... zee if I can install it there.
                                Is it easy to update the Zee2 to use Mono 5?
                                HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                                Running on Windows 10 (64) virtualized
                                on ESXi (Fujitsu Primergy TX150 S8).
                                WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                                Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                                Comment

                                Working...
                                X