Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • jjason
    replied
    Originally posted by rjh View Post
    Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.


    I'm afraid that is both:
    1. Factually incorrect. Example: https://home-assistant.io/blog/2015/...-lets-encrypt/
    2. A really poor approach to security.

    Part of the reason I purchased Homeseer is that it can happily do everything while fully disconnected from the cloud. MyHS is a nice option to have, but it should not be a requirement for secure access.

    As a paying customer, part of what I paid for is to have a secure-able product. Please continue to keep it secure and do not remove HTTPS support.

    Don't make me WannaCry...
    https://en.m.wikipedia.org/wiki/Wann...somware_attack

    Jjason
    CISSP-ISSAP/ISSMP


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • beerygaz
    replied
    OpenHAB for one supports https out of the box.

    Using myhs adds 20 seconds or more to load times.

    Would it be possible for US law enforcement to gain access to my homeseer (security, cctv, lightning, etc) platform via MyHs?


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • Moskus
    replied
    Originally posted by rjh View Post
    Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.
    We use HomeSeer because it's not like other HA systems...

    Leave a comment:


  • rjh
    replied
    Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.


    Originally posted by jjason View Post
    I do Information Security as part of my job. I require that my own home systems be secured on my home network. My Synology NAS, my APC UPS, my IP Cameras, and even my Raspberry PI NTP server, all support HTTPS. There is no reason that my Home Automation system should do any less. "Defense In Depth" - Accept nothing less.

    -----

    It's not only possible, but also fairly straightforward, to get a domain and a certificate:


    Domain Name Cost: $12/yr.Certificate for above domain name - single fully qualified DNS name (FWDN)
    Lets Encrypt: Free.
    NameCheap PositiveSSL (Comodo): $9/yr.
    https://www.namecheap.com/
    (Optional) Get a wildcard certificate (unlimited names in the domain) for $99/yr and use it with HomeSeer AND in other places too.You may also need to run something like DNSMasq for your own internal DNS service.

    -----

    I agree with other folks' statements that the built-in web server leaves a bit to be desired. How about supporting Ngnix or Apache? Both are open source and fully cross-platform.

    -----

    And since we're on the topic, how about supporting HomeSeer as BOTH an Application AND as a Service on Windows?

    While some folks, including myself, have gotten the Application to run "sort of" like a service on Windows 10 with Task Scheduler, its a poor hack that limits feature/function and isn't as reliable as a true service process. HomeSeer runs my HOUSE. It has to be as secure and reliable as humanly possible - and that means it needs to be a service process. Its time to step up, get past the "its too hard to support" excuse, and just do it.

    jjason
    CISSP-ISSAP/ISSMP

    Leave a comment:


  • jjason
    replied
    Originally posted by rjh View Post
    https is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.
    I do Information Security as part of my job. I require that my own home systems be secured on my home network. My Synology NAS, my APC UPS, my IP Cameras, and even my Raspberry PI NTP server, all support HTTPS. There is no reason that my Home Automation system should do any less. "Defense In Depth" - Accept nothing less.

    -----

    It's not only possible, but also fairly straightforward, to get a domain and a certificate:


    Domain Name Cost: $12/yr.Certificate for above domain name - single fully qualified DNS name (FWDN)
    Lets Encrypt: Free.
    NameCheap PositiveSSL (Comodo): $9/yr.
    https://www.namecheap.com/
    (Optional) Get a wildcard certificate (unlimited names in the domain) for $99/yr and use it with HomeSeer AND in other places too.You may also need to run something like DNSMasq for your own internal DNS service.

    -----

    I agree with other folks' statements that the built-in web server leaves a bit to be desired. How about supporting Ngnix or Apache? Both are open source and fully cross-platform.

    -----

    And since we're on the topic, how about supporting HomeSeer as BOTH an Application AND as a Service on Windows?

    While some folks, including myself, have gotten the Application to run "sort of" like a service on Windows 10 with Task Scheduler, its a poor hack that limits feature/function and isn't as reliable as a true service process. HomeSeer runs my HOUSE. It has to be as secure and reliable as humanly possible - and that means it needs to be a service process. Its time to step up, get past the "its too hard to support" excuse, and just do it.

    jjason
    CISSP-ISSAP/ISSMP

    Leave a comment:


  • Kerat
    replied
    We need native HTTPS support!

    Originally posted by beerygaz View Post
    I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.

    Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.
    I have a handful of subdomains that I use for different back end resources.

    I have a backend setup to access my HS3 server on port 80 using transparent client IP (The backend is named: hs3_80-external). I was already using ACL rules on my front end to determine when the HTTPS request was for my HS3 subdomain.
    (Ex:
    Name: hs3_acl
    Expression: host starts with
    Value: homeseer

    I then tied an action to the backend HS3 resource using an action (ex:
    Action: use backend
    Condition: hs3_acl
    Backend hs3_80-external

    Let's Encrypt does not have access to wildcard SSL certs I use the HTTPS SNI request to determine which SSL cert to match on. If the request is for HS3 then I hand them the HS3 subdomain SSL Cert.

    I did notice that with this setup my HAProxy system would work appropriately from the public Internet but would not work internally.

    My local network is pretty locked down. Guest access is locked down to a separate VLAN and wifi and runs on a changing WPA2 key. The guest wifi network is only available during daylight hours, and there are ACL rules that block communication between the guest net and my local LANs. I don't necessarily care to lockout internal clients using the anti-hack tool in HS3. My workaround to get HAProxy to work with HS3 internally was to:
    1. copy the existing backend configuration for HS3 and deselect transparent client IP.
    I named this backend: hs3_80-internal.
    2. Add a new ACL in my port 443 front end that denotes my local intranet subnet
    (ex:
    name: local_lan,
    Expression: source IP matches IP or Alias
    Value: 10.0.0.0/16).
    3. Create a new action above my external HS3 action.
    (Ex:
    Action: use backend
    Condition ACL names: local_lan hs3_acl
    Backend: hs3_80-internal)
    This action will capture internal network requests for my HS3 subdomain and forward them to the "hs3_80-internal" backend instead.

    I duplicated the work around for both my internal subnets and found it to work well. Internal network logons to my HS3 environment appear to come from my router's IP address and not from the actual client's ip. Public Internet sourced logons display the public source IP address.


    Sent from my iPhone using Tapatalk
    Last edited by Kerat; June 18, 2017, 09:36 AM.

    Leave a comment:


  • Kerat
    replied
    Originally posted by beerygaz View Post
    I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.

    Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.


    Agreed the forward for didn't seem to work for me. I have enabled the transparent client IP setting on my network and confirmed when I login from work the HS3 log and filter by web server events I see my work public IP address. I will have to check reverse proxy functionality while at home. I suspect that the expected network design for this to work would be a separate DMZ subnet where all back end servers access non DMZ resources through the reverse proxy.


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • beerygaz
    replied
    I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.

    Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.

    Leave a comment:


  • Kerat
    replied
    Originally posted by beerygaz View Post
    How are you implementing HS3 authentication using the RP? Doesn't HS3 see all connections as local and thus bypass auth requests?


    Sent from my iPhone using Tapatalk


    HAproxy has two places that this can be done. The first is a setting (forward for) in the global settings that allows the system to overwrite the header with the end point's IP address. The second is a setting named"transparent client IP" in the back end configuration for the HS3 server. This passes the client IP address in place of the firewall's IP.


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • beerygaz
    replied
    How are you implementing HS3 authentication using the RP? Doesn't HS3 see all connections as local and thus bypass auth requests?


    Sent from my iPhone using Tapatalk

    Leave a comment:


  • Kerat
    replied
    Originally posted by lifespeed View Post
    The reverse proxy sounds like a nice solution, I assume this implements SSL (and HTTPS) for services in your network that don't support it? I'll have to look into a windows implementation of this function. Or perhaps this is a good reason to ditch my old router for a more flexible PFSense box that can handle this natively. VPN is cool, but I know how that would go over explaining that to my wife and kids. It may just be one additional button, but combine that with occasional Android flakiness and it doesn't look good. I have tried using the built-in VPN in Android, and it chokes probably 30% of the time.
    Yes, it can act as the HTTPS SSL offload for both web services that support HTTPS and ones that do not. I believe that Nginx has a windows port. once setup you would open and forward port 443 to your server and set Nginx to listen on port 443. The only other services and resources you would need are:
    1. A registered domain (namecheap and google domains are cheap),
    2. A DDNS client Namecheap gives you one if you purchase a registered domain from them. Google Domains offers an integrated API that allows you to pickup a free client and configure to work with it.
    3. An SSL Certificate. Personally, you could try to setup a Let's Encrypt Acme client on your system and get the cost of a signed SSL certificate down to $0. Alternatively, you could purchase a signed SSL certificate (namecheap uses komodo and they are a solid paid version that is pretty cheap).

    I can't recommend PFSense enough. It is the batman utility belt of firewalls and it does all of it well. The PFSense user community is well developed and the package creators do a really great job of supporting their products. The forum isn't on tapatalk yet would be my only gripe. you can load it on just about any old PC you have laying around, install to network cards, and run through the initial setup. There is a little setup necessary but once it is up it works flawlessly. I have my reverse proxy, Let's encrypt Acme client for SSL management and provisioning, Dynamic DNS client to keep my DDNS and CNAME subdomains up to date, and my VPN hosted on my PFsense firewall.

    Leave a comment:


  • lifespeed
    replied
    Originally posted by Kerat View Post
    I can agree that it would be nice to have the SSL support for the management tool built into the application. Personally, after standing up my reverse proxy I don't know that I would use it. My HTPC system supports HTTPS and I still off-load SSL handling to my reverse proxy. Reverse proxies offer many advantages. for anything else I would use my VPN tunnel to my house. For other non-technical users though it would allow them to work in a more autonomous mode from any cloud hosted service.
    The reverse proxy sounds like a nice solution, I assume this implements SSL (and HTTPS) for services in your network that don't support it? I'll have to look into a windows implementation of this function. Or perhaps this is a good reason to ditch my old router for a more flexible PFSense box that can handle this natively. VPN is cool, but I know how that would go over explaining that to my wife and kids. It may just be one additional button, but combine that with occasional Android flakiness and it doesn't look good. I have tried using the built-in VPN in Android, and it chokes probably 30% of the time.

    Leave a comment:


  • Kerat
    replied
    I can agree that it would be nice to have the SSL support for the management tool built into the application. Personally, after standing up my reverse proxy I don't know that I would use it. My HTPC system supports HTTPS and I still off-load SSL handling to my reverse proxy. Reverse proxies offer many advantages. for anything else I would use my VPN tunnel to my house. For other non-technical users though it would allow them to work in a more autonomous mode from any cloud hosted service.

    Leave a comment:


  • lifespeed
    replied
    Originally posted by beerygaz View Post
    Nah, set it up and HS3 barfs up when trying to start the secure server. If HST just fixed what used to work in HS2, even with self-signed certs it would be a start.

    HSTouch is plain text too. The JSON interface is an amazing tool, but also plain text (unless via MyHS).
    You just saved me an hour of useless computer fiddling, thanks. As useful as Homeseer is, these are some important features that need to be addressed. By it's nature, the user base is largely technically literate and can at least operate their own computer network. The expectation of direct, secure external access is completely reasonable and consistent with the intended use and user base of the software.

    Leave a comment:


  • beerygaz
    replied
    Nah, set it up and HS3 barfs up when trying to start the secure server. If HST just fixed what used to work in HS2, even with self-signed certs it would be a start.

    HSTouch is plain text too. The JSON interface is an amazing tool, but also plain text (unless via MyHS).


    Sent from my iPhone using Tapatalk

    Leave a comment:

Working...
X