So... because I frequently forget to close my windows, I don't need a front door with a lock?
End of the day, security is a responsibility of all of us. Novice users will probably be better off (read: more secure) by using MyHS anyway. However, since i am NOT a novice user, I choose to run NOTHING related to Home Automation in the cloud, and NOTHING is dependent on a Internet connection.
This is against a trend that is unstoppable anyway. Did anyone notice that Chrome is flagging some non-ssl sites as unsafe already? I wouldn't be surprised if browsers will start disabling non-ssl sites altogether by default soon...
Announcement
Collapse
No announcement yet.
We need native HTTPS support!
Collapse
X
-
My point to this post is just to bring awareness of these items. I want to thank HomeSeer Technologies for their consistent willingness to evolve. They have proven this time and time again. This may just be the horizon for the next evolution!
HomeSeer Technologies is in business to provide home automation solutions. Let's think of it as a sort of "Internet of Things". They have never represented that there are not inherent risks associated with home automation especially when they are connected to the Internet. We as users have all assumed associated risks by connecting our homes to networking platforms such as the Internet. There are many security articles of "IoT" devices and their inherent risks...
The difference between security novices and security experts are that security experts expect a breach and think of it not in manners of "if" but in manners of "when".
HomeSeer is a successful product. No argument. The pro of being a successful product results in increased risks as more people are aware of its functionality and potentially also its weaknesses.
Having a common glue such as MyHS allows a bad actor to potentially have a "path" to all of our homes. I give kudo's to HomeSeer Technologies to even attempt to build such a solution as from a developers perspective it is not easy to build secure solutions like this. It takes serious thoughts and a team of experts to maintain such a solution. All of this results in significant business costs.
I personally think that a HTTPS web service capability is the simplified solution of security. Let me engineer the path to my HomeSeer system and allow me to host my HS environment via secure HTTPS web transactions. If there is a cost to purchase a official certificate, then let me make that decision whether the risk versus reward is justified. From my perspective, the cost of a official certificate is well worth the investment to protect my automation resources.
But we all know that a certificate will not necessarily guarantee that a breach will not occur:
* How many of us utilize proper practices to keep our Windows system safe from intrusion? How many of us run HomeSeer using a legacy Windows operating system? How many of us run HomeSeer using the administrator account? How many of us implement a proper systems security patching maintenance? I could go on and on.
* How many of us use effective password practices? I am not sure, but my understanding that the default password for Homeseer is Default/default.... How many of us have changed it? I am not sure if this password credential is only accepted via local connection attempts or if it is also accept by HomeSeer for remote connections. You can extrapolate from there.
* How many of us have put thought to how our automation rules (events, etc) operate outside of the "happy path"? Do you have rules or events to counter a bad actor from setting your t-stat to below freezing temps or vice versa? I mean think of it.. What would happen?
Let's close that proper information systems security practices are all of our responsibilities. We must be a team and work together to ensure that our home automation systems are secure.Last edited by Krumpy; March 3, 2017, 01:25 PM.
Leave a comment:
-
... and I'm still surprised Rich didn't respond with a "Yes, we know it's stupid not to have proper SSL support, but we will address the issue ASAP".
Leave a comment:
-
Originally posted by Krumpy View PostRich,
myHS is great for the average person. But keep in mind that we are all betting and depending on your infrastructure to protect our systems. MyHS is a global risk as if it was compromised then we all could potentially be impacted. Do you have knowledgeable staff on the team that will practice ethical hacking to ensure that your environment meets industry security practices and standards? If not, then I would encourage you to be careful with the myHS recommendation as a solution for secure connectivity to peoples homes.
Second, by keeping all traffic with the local web server (http based) unencrypted, we are not addressing security concerns that may exist within a Intranet. I myself would prefer to use HTTPS even on my local network to protect from eavesdropping and to maintain security of my home.
Food for thought... Please do not eliminate the HTTPS capability. In fact, please upgrade it to support the latest crypto standards to meet industry standards.
Leave a comment:
-
Rich,
myHS is great for the average person. But keep in mind that we are all betting and depending on your infrastructure to protect our systems. MyHS is a global risk as if it was compromised then we all could potentially be impacted. Do you have knowledgeable staff on the team that will practice ethical hacking to ensure that your environment meets industry security practices and standards? If not, then I would encourage you to be careful with the myHS recommendation as a solution for secure connectivity to peoples homes as stuff does happen. I know that you mean well, but I would encourage you to be careful with statements that we should not have security concerns.
Second, by keeping all traffic with the local web server (http based) unencrypted, we are not addressing security concerns that may exist within a Intranet. I myself would prefer to use HTTPS even on my local network to protect from eavesdropping and to maintain security of my home.
Food for thought... Please do not eliminate the HTTPS capability. In fact, please upgrade it to support the latest crypto standards to meet industry standards.
Originally posted by rjh View PostThe local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.
You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.
I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?
There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.Last edited by Krumpy; March 3, 2017, 12:02 PM.
Leave a comment:
-
Originally posted by Moskus View PostPerfect!
That means that if I replace "demo@homeseer.com" and "demo100" with my own credentials, it should work?
Code:https://connected2.homeseer.com/JSON?user=demo@homeseer.com&pass=demo100&request=getstatus
Well, that's something at least!
Now, if we only had Gzip or anything like that enabled perhaps speed could improve.
My GetStatus JSON string is long. I have 986 devices...
I can us https://myhs.homeseer.com/ to access my system if I want. What gives?
Robert
Leave a comment:
-
Originally posted by rjh View PostBut I would think you would use HSTouch for remote access, I never use the web interface, HSTouch is much easier and HSTouch uses very little data so it should be just about as fast as local connection.
- Robert
Leave a comment:
-
Originally posted by rjh View PostFor accessing MyHS with user/pass with JSON, see the help file here, and click on the JSON section. On the first page there is a sample URL that includes user/pass:
http://homeseer.com/support/homeseer...DK/default.htm
That means that if I replace "demo@homeseer.com" and "demo100" with my own credentials, it should work?
Code:https://connected2.homeseer.com/JSON?user=demo@homeseer.com&pass=demo100&request=getstatus
Well, that's something at least!
Now, if we only had Gzip or anything like that enabled perhaps speed could improve.
My GetStatus JSON string is long. I have 986 devices...
Leave a comment:
-
If you want to PM or email me your login I would be happy to try from here. If its ok from here, it might tell us something.
Originally posted by rmasonjr View PostI am in SouthWest MS...
You can use my myHS credentials to connect if you want. I suspect you'll see the same thing I am. Mine is the first connection. The second is a ZeeS2 I manage for a friend.
Leave a comment:
-
MyHS does not use the HSTouch plugin for web access, so that should not matter.
Originally posted by TechFan View PostRich,
You don't think it might be the HSTouch plug-in version? Not sure what is in the newer releases. I updated to .85 for some reason (don't remember what), but I haven't seen any change lots/release notes for HSTouch plugin since. . .could be missing them. . .
Leave a comment:
-
Originally posted by rjh View Post307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?
You can use my myHS credentials to connect if you want. I suspect you'll see the same thing I am. Mine is the first connection. The second is a ZeeS2 I manage for a friend.
Leave a comment:
-
Originally posted by rjh View Post307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?
You don't think it might be the HSTouch plug-in version? Not sure what is in the newer releases. I updated to .85 for some reason (don't remember what), but I haven't seen any change lots/release notes for HSTouch plugin since. . .could be missing them. . .
Leave a comment:
-
307 is a beta, but that should not matter. Update to 312 and see if there is any change, I suspect not. I don't understand why you cannot access reliably, all looks ok on this end. Where are you located?
Originally posted by rmasonjr View PostCurrent Date/Time: 3/1/2017 3:16:33 PM
HomeSeer Version: HS3 Pro Edition 3.0.0.307
Linux version: Linux RPi2 3.18.5-v7+ #225 SMP PREEMPT Fri Jan 30 18:53:55 GMT 2015 armv7l GNU/Linux System Uptime: 5 Days 23 Hours 59 Minutes 11 Seconds
IP Address: 192.168.0.142
Number of Devices: 299
Number of Events: 170
Available Threads: 372
Enabled Plug-Ins
2.0.89.0: BLRF
3.0.0.31: EasyTrigger
3.0.1.18: HAI
3.0.0.103: HSTouch Server
3.0.0.63: weatherXML
3.0.1.102: Z-Wave
Leave a comment:
Leave a comment: