Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • stefxx
    replied
    So... because I frequently forget to close my windows, I don't need a front door with a lock?

    End of the day, security is a responsibility of all of us. Novice users will probably be better off (read: more secure) by using MyHS anyway. However, since i am NOT a novice user, I choose to run NOTHING related to Home Automation in the cloud, and NOTHING is dependent on a Internet connection.

    This is against a trend that is unstoppable anyway. Did anyone notice that Chrome is flagging some non-ssl sites as unsafe already? I wouldn't be surprised if browsers will start disabling non-ssl sites altogether by default soon...

    Leave a comment:


  • Krumpy
    replied
    My point to this post is just to bring awareness of these items. I want to thank HomeSeer Technologies for their consistent willingness to evolve. They have proven this time and time again. This may just be the horizon for the next evolution!

    HomeSeer Technologies is in business to provide home automation solutions. Let's think of it as a sort of "Internet of Things". They have never represented that there are not inherent risks associated with home automation especially when they are connected to the Internet. We as users have all assumed associated risks by connecting our homes to networking platforms such as the Internet. There are many security articles of "IoT" devices and their inherent risks...

    The difference between security novices and security experts are that security experts expect a breach and think of it not in manners of "if" but in manners of "when".

    HomeSeer is a successful product. No argument. The pro of being a successful product results in increased risks as more people are aware of its functionality and potentially also its weaknesses.

    Having a common glue such as MyHS allows a bad actor to potentially have a "path" to all of our homes. I give kudo's to HomeSeer Technologies to even attempt to build such a solution as from a developers perspective it is not easy to build secure solutions like this. It takes serious thoughts and a team of experts to maintain such a solution. All of this results in significant business costs.

    I personally think that a HTTPS web service capability is the simplified solution of security. Let me engineer the path to my HomeSeer system and allow me to host my HS environment via secure HTTPS web transactions. If there is a cost to purchase a official certificate, then let me make that decision whether the risk versus reward is justified. From my perspective, the cost of a official certificate is well worth the investment to protect my automation resources.

    But we all know that a certificate will not necessarily guarantee that a breach will not occur:
    * How many of us utilize proper practices to keep our Windows system safe from intrusion? How many of us run HomeSeer using a legacy Windows operating system? How many of us run HomeSeer using the administrator account? How many of us implement a proper systems security patching maintenance? I could go on and on.

    * How many of us use effective password practices? I am not sure, but my understanding that the default password for Homeseer is Default/default.... How many of us have changed it? I am not sure if this password credential is only accepted via local connection attempts or if it is also accept by HomeSeer for remote connections. You can extrapolate from there.

    * How many of us have put thought to how our automation rules (events, etc) operate outside of the "happy path"? Do you have rules or events to counter a bad actor from setting your t-stat to below freezing temps or vice versa? I mean think of it.. What would happen?



    Let's close that proper information systems security practices are all of our responsibilities. We must be a team and work together to ensure that our home automation systems are secure.
    Last edited by Krumpy; March 3, 2017, 01:25 PM.

    Leave a comment:


  • stefxx
    replied
    Originally posted by mloebl View Post
    I agree with all of this.
    Originally posted by TechFan View Post
    Yes. I do as well.
    +1

    Leave a comment:


  • Moskus
    replied
    ... and I'm still surprised Rich didn't respond with a "Yes, we know it's stupid not to have proper SSL support, but we will address the issue ASAP".

    Leave a comment:


  • TechFan
    replied
    Originally posted by mloebl View Post
    I agree with all of this.
    Yes. I do as well.

    Leave a comment:


  • mloebl
    replied
    Originally posted by Krumpy View Post
    Rich,

    myHS is great for the average person. But keep in mind that we are all betting and depending on your infrastructure to protect our systems. MyHS is a global risk as if it was compromised then we all could potentially be impacted. Do you have knowledgeable staff on the team that will practice ethical hacking to ensure that your environment meets industry security practices and standards? If not, then I would encourage you to be careful with the myHS recommendation as a solution for secure connectivity to peoples homes.

    Second, by keeping all traffic with the local web server (http based) unencrypted, we are not addressing security concerns that may exist within a Intranet. I myself would prefer to use HTTPS even on my local network to protect from eavesdropping and to maintain security of my home.

    Food for thought... Please do not eliminate the HTTPS capability. In fact, please upgrade it to support the latest crypto standards to meet industry standards.
    I agree with all of this.

    Leave a comment:


  • Krumpy
    replied
    Rich,

    myHS is great for the average person. But keep in mind that we are all betting and depending on your infrastructure to protect our systems. MyHS is a global risk as if it was compromised then we all could potentially be impacted. Do you have knowledgeable staff on the team that will practice ethical hacking to ensure that your environment meets industry security practices and standards? If not, then I would encourage you to be careful with the myHS recommendation as a solution for secure connectivity to peoples homes as stuff does happen. I know that you mean well, but I would encourage you to be careful with statements that we should not have security concerns.

    Second, by keeping all traffic with the local web server (http based) unencrypted, we are not addressing security concerns that may exist within a Intranet. I myself would prefer to use HTTPS even on my local network to protect from eavesdropping and to maintain security of my home.

    Food for thought... Please do not eliminate the HTTPS capability. In fact, please upgrade it to support the latest crypto standards to meet industry standards.

    Originally posted by rjh View Post
    The local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.

    You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.

    I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?

    There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.
    Last edited by Krumpy; March 3, 2017, 12:02 PM.

    Leave a comment:


  • langenet
    replied
    Originally posted by Moskus View Post
    Perfect!

    That means that if I replace "demo@homeseer.com" and "demo100" with my own credentials, it should work?

    Code:
    https://connected2.homeseer.com/JSON?user=demo@homeseer.com&pass=demo100&request=getstatus
    EDIT: Yes, it does work!
    Well, that's something at least!
    Now, if we only had Gzip or anything like that enabled perhaps speed could improve.

    My GetStatus JSON string is long. I have 986 devices...
    I saw this today and thought I'd give it a try. I get do you want to open or save JSON.json from connected2.homeseer.com.

    I can us https://myhs.homeseer.com/ to access my system if I want. What gives?

    Robert

    Leave a comment:


  • RJS
    replied
    Originally posted by rjh View Post
    But I would think you would use HSTouch for remote access, I never use the web interface, HSTouch is much easier and HSTouch uses very little data so it should be just about as fast as local connection.
    I use MYHS all the time for the web interface as well as HSTouch. The web interface is the only way to make changes to the system (such as event editing) while away from home. It's not super fast but it gets the job done.

    - Robert

    Leave a comment:


  • Moskus
    replied
    Originally posted by rjh View Post
    For accessing MyHS with user/pass with JSON, see the help file here, and click on the JSON section. On the first page there is a sample URL that includes user/pass:

    http://homeseer.com/support/homeseer...DK/default.htm
    Perfect!

    That means that if I replace "demo@homeseer.com" and "demo100" with my own credentials, it should work?

    Code:
    https://connected2.homeseer.com/JSON?user=demo@homeseer.com&pass=demo100&request=getstatus
    EDIT: Yes, it does work!
    Well, that's something at least!
    Now, if we only had Gzip or anything like that enabled perhaps speed could improve.

    My GetStatus JSON string is long. I have 986 devices...

    Leave a comment:


  • rjh
    replied
    If you want to PM or email me your login I would be happy to try from here. If its ok from here, it might tell us something.

    Originally posted by rmasonjr View Post
    I am in SouthWest MS...

    You can use my myHS credentials to connect if you want. I suspect you'll see the same thing I am. Mine is the first connection. The second is a ZeeS2 I manage for a friend.

    Leave a comment:


  • rjh
    replied
    MyHS does not use the HSTouch plugin for web access, so that should not matter.

    Originally posted by TechFan View Post
    Rich,

    You don't think it might be the HSTouch plug-in version? Not sure what is in the newer releases. I updated to .85 for some reason (don't remember what), but I haven't seen any change lots/release notes for HSTouch plugin since. . .could be missing them. . .

    Leave a comment:


  • rmasonjr
    replied
    Originally posted by rjh View Post
    307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?
    I am in SouthWest MS...

    You can use my myHS credentials to connect if you want. I suspect you'll see the same thing I am. Mine is the first connection. The second is a ZeeS2 I manage for a friend.

    Leave a comment:


  • TechFan
    replied
    Originally posted by rjh View Post
    307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?
    Rich,

    You don't think it might be the HSTouch plug-in version? Not sure what is in the newer releases. I updated to .85 for some reason (don't remember what), but I haven't seen any change lots/release notes for HSTouch plugin since. . .could be missing them. . .

    Leave a comment:


  • rjh
    replied
    307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?

    Originally posted by rmasonjr View Post
    Current Date/Time: 3/1/2017 3:16:33 PM
    HomeSeer Version: HS3 Pro Edition 3.0.0.307
    Linux version: Linux RPi2 3.18.5-v7+ #225 SMP PREEMPT Fri Jan 30 18:53:55 GMT 2015 armv7l GNU/Linux System Uptime: 5 Days 23 Hours 59 Minutes 11 Seconds
    IP Address: 192.168.0.142
    Number of Devices: 299
    Number of Events: 170
    Available Threads: 372

    Enabled Plug-Ins
    2.0.89.0: BLRF
    3.0.0.31: EasyTrigger
    3.0.1.18: HAI
    3.0.0.103: HSTouch Server
    3.0.0.63: weatherXML
    3.0.1.102: Z-Wave

    Leave a comment:

Working...
X