Announcement

Collapse
No announcement yet.

Status of SSL in HS 2.0?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    I guess we "amateurs" can't handle it.
    HS3 Prod - Win10 - DSC - HVAC-GC-TBZ48 x3 - CurrentCost - BLRadar - RFXCOM/FRXTRX433 -ADIO - HSTOUCH - BLUPS - AB8SS - SONOS - Alexa - 1 wire - BlueIris -MyQ

    Comment


      #17
      Homeseer 2 Feature List

      General Features

      - Totally re-written using the Microsoft .NET architecture and managed code for better reliability
      - .........
      - SSL web server for secure connections
      I did notice at the bottom though...

      Note - Specifications are subject to change. Listing reflects new features in HomeSeer v2.0 as of 08/11/2005.
      Just didn't expect it I guess :\

      Comment


        #18
        Yes, it says:

        Listing reflects new features in HomeSeer v2.0 as of 08/11/2005.

        SSL is one of those features listed. Says nothing about PRO.

        Pretty plain to me, it says the SSL is a new feature as of 8/11/05. I'm sure Rich was just kidding around with his reply, right Rich?
        HS3 Prod - Win10 - DSC - HVAC-GC-TBZ48 x3 - CurrentCost - BLRadar - RFXCOM/FRXTRX433 -ADIO - HSTOUCH - BLUPS - AB8SS - SONOS - Alexa - 1 wire - BlueIris -MyQ

        Comment


          #19
          Again can some one explain to me what SSL "buys you"? Is it simply that your password is encrypted when sent with SSL?
          -Rupp
          sigpic

          Comment


            #20
            The whole session is encrypted, so your password, data sent and data received. Someone could, if not encrypted, capture the packets from your chat with homeseer and see your password sent, and even see the webpage data being sent back to you.

            Comment


              #21
              I can tell you that sniffing plain text data is a very easy thing to do. I know, I do it at work all the time. You can see anything you want to see. Anything you do on your HS webpages over the web can be captured. This is why almost all retail transactions over the web now use SSL for security.
              HS3 Prod - Win10 - DSC - HVAC-GC-TBZ48 x3 - CurrentCost - BLRadar - RFXCOM/FRXTRX433 -ADIO - HSTOUCH - BLUPS - AB8SS - SONOS - Alexa - 1 wire - BlueIris -MyQ

              Comment


                #22
                Guys,
                I could see if you ad a security system that you didn't want someone getting your password if you sent this over the web, but no one has ever complained that this has happened. I personally do not care if some knows that I turned A1 on or off. I guess it depends on what you do with your system in the long run.
                -Rupp
                sigpic

                Comment


                  #23
                  The problem is Rupp, my homeseer web access allows me to, for example, see the status of my alarm. Anyone sniffing the port could also thus see the status of my alarm. I can't disarm the alarm, and that was done on purpose, but I would rather someone didn't have that information. Not all Homeseer installations are the same.. some will have more information than others. I know, for example one user that has his Homeseer controlling his garage door. Now assume someone was watching his homeseer session.. he's now got the password for full access to Homeseer and can open that garage door.

                  OK, so don't put sensitive devices on Homeseer.... well, kinda defeats the idea of having Home Automation.

                  Comment


                    #24
                    I don't really care if people know that I turned switch A1 on or off as well Rubb, but that is not the entire point.

                    The point is, that it is information that is not public, therefore should be sent over the internet in an envelop of security....

                    Internet security is a big deal, just becuase no one has reported it as being a problem yet, doesn't mean it hasn't and can't happen in the future. All you need to make your hair fall out and your WAF go negative is for someone to start messing with your system in the middle of the night... and... btw...

                    You have givin this "hacker" all the tools they need to mess with you, including the password.

                    Lets see... turn on Rupps stereo really loud.... watch motion sensors...hmmm. no motion...... okay... turn on rupps bedroom light.... watch status.... bedroom light is turned back off.... lets watch rupps cameras.... boreing, nothing going on here..... lets turn on rupps sprinkler system, change the password on his hs account, create an addition account for me, upload really nasty WAV files to be played during the night, turn on all the lights everytime the house goes to vacent or away mode, turn the heat up to 110degrees, or turn it off in the winter.... listen to voicemail, this list can go on and on and on an on...

                    The point being these are things that only authorized people should be doing, and you have given a hacker the easiest tool in the book.... your password.

                    just because it hasn't happened, doesn't mean that it wont...... just because my house hasn't been broken into doesn't mean I don't need a security system, doesn't mean I should leave my doors unlocked... or better yet a sign in the front yard telling people when I'm home and away, and where I keep the spare key.....
                    Joe (zimmer62)

                    BLSecurtiy, AC-RF2, RCS Serial Thermostats, RFXCOM SMarthome SwitchLinc, mcsXap, Global Cache GC100, SqueezeBox, TWA_ONKYOINTEGRA, BLLogMonitor, BLPlugins, BLRadar, BLSpeech, BLZLog.aspx, HSTouch (Windows, iPhone, iPod), USB Mimo touchscreens, VMWare Server, Vortexbox, Windows Home Server, MyMovies, Windows Media Center, X10, ZWave, and much much much more.

                    Comment


                      #25
                      Originally posted by MFULLER
                      The problem is Rupp, my homeseer web access allows me to, for example, see the status of my alarm. Anyone sniffing the port could also thus see the status of my alarm. I can't disarm the alarm, and that was done on purpose, but I would rather someone didn't have that information. Not all Homeseer installations are the same.. some will have more information than others. I know, for example one user that has his Homeseer controlling his garage door. Now assume someone was watching his homeseer session.. he's now got the password for full access to Homeseer and can open that garage door.

                      OK, so don't put sensitive devices on Homeseer.... well, kinda defeats the idea of having Home Automation.

                      No, I totally see why some would not want that info known and would rather have this send securely, but I also know that over the last several years users have been controlling their garage doors and security systems with HS without SSL and there have been no reports of a HS security breach at least not that I have read about. I would suggest putting in a help ticket and asking about the direction of SSL and HS 2.0/Pro and see what the plans are for implementation.
                      -Rupp
                      sigpic

                      Comment


                        #26
                        Guys,

                        Here is the deal. I'll be honest, I really don't have a handle on how this will work for the average user. Maybe someone more knowledgable on SSL can fill me in. We decided to make this a PRO feature due to the HUGE amount of support this feature will require. It has been implemented and works with a test certificate. Here are the issues:

                        * You need a real certificate for it to work. Certificates are desgined to be obtained by system admins for use on servers. The average user will have no clue on how or which certificate to get. I tried to get one myself and never actually obtained one.

                        * I include a test certificate that works, but the user will get a dialog saying that the certificate is invalid. So they will think they are not secure. So we cannot include a valid certificate

                        * It appears certificates are tied to a URL, which will obviously change or may not even exist since most people connect via IP address

                        So to us, this is just a support nightmare waiting to happen. However, if anyone can tell me how to offer this with a simple checkbox, I would look into it. We should not have mentioned that it would be in HS2 without doing more research upfront.
                        website | buy now | support | youtube

                        Comment


                          #27
                          I manage (system administrator/consultant) multiple networks where the system is to be used internally or by employees only and we have generated our own certificates. They no longer match the URL and they have expired giving you a 3 different warning everytime you connect to the website, but they still provide encryption and security.

                          I would definetly like to have the SSL encription, actually it is a MUST on today's network when you are controlling not only the automation but the security functions of your house.

                          Please release SSL and include a certificate, but make sure that it is working PERFECTLY prior to releasing it, to eliminate people having problems and questions.

                          I myself would not bother in issuing my own certificate (Windows servers and multiple Linux programs allow you to create you own certificate without having to pay for it.

                          Please accept my plead to release SSL.

                          Rene

                          Comment


                            #28
                            Originally posted by rjh
                            Guys,
                            We decided to make this a PRO feature due to the HUGE amount of support this feature will require.
                            Ok, I can see where you are coming from. That makes sense.

                            * You need a real certificate for it to work. Certificates are desgined to be obtained by system admins for use on servers. The average user will have no clue on how or which certificate to get. I tried to get one myself and never actually obtained one.
                            OK fair enough. Anyone with Windows server addition can actually generate their own certificates using the Windows Certification Authority program, which is an optional install feature. I myself have this running on my server. I must admit though, the average user may have problems, and may not be running Windows Server.

                            * I include a test certificate that works, but the user will get a dialog saying that the certificate is invalid. So they will think they are not secure. So we cannot include a valid certificate
                            That's right, as it should be. This stops people generating false certificates. If someone wants SSL, they *have* to get their *own* certificate. It's not your job to supply one.

                            * It appears certificates are tied to a URL, which will obviously change or may not even exist since most people connect via IP address
                            Very true, but easily got round by hosts files or dns servers.

                            So to us, this is just a support nightmare waiting to happen. However, if anyone can tell me how to offer this with a simple checkbox, I would look into it. We should not have mentioned that it would be in HS2 without doing more research upfront.
                            I can certainly see where your coming from. Anyone without good knowledge of SSL will probably have a hard time, and it's not the easiest thing to implement. BUT... if someone buys the product because they want SSL, it's not hard to assume that they know how to use SSL.. if they didn't.. they wouldn't want it.

                            Maybe make it an free optional add-in with a proviso that you have no responsibility for offering support for SSL ?

                            I'm stuck between a rock and a hard place. I can see where you are coming from with regard to support, but I also feel a but cheated as SSL was the *only* reason I upgraded to HS2.

                            Thanks

                            Marc

                            Comment


                              #29
                              Make it optional then, as Rich stated, some of us would view this as another broken thing if we could not figure out how to make it work properly. I for one am protecting my home network behind a firewall from the internet, and would rather see a reliable and easy automation system. Cyber security can then be focused at the firewall.

                              Larry.
                              -Larry

                              A member of "The HA Pioneer Group", MyWebSite

                              Plugins:
                              VWS, AB8SS, lrpSpeak, Calendar, Arduino, Harmony, BlueIris, Sprinklers, ZipBackup...

                              Hardware:
                              Intel NUC8i7BEH1 running Windows 10 Pro headless, HS3 Pro, Plex running on Synology dual High Availability DS-1815+ NAS (24Tb each), Synology Surveillance Station running on DS-416 Slim (8Tb), Samsung SmartThings, Google Home, Alexa, Hubitat Elevation, ZNET, Ubiquiti UniFi Network, Davis Vantage Pro II Weather Station. Whole house speaker system using a couple of AB8SS switches. Vantage Pro II Weather Station, Rain8Net Sprinklers, Hubitat Elevation, Google Home, Alexa, DSC Security System, Ubiquiti UniFi Network.

                              Comment


                                #30
                                Rich,

                                Please release SSL and make it optional.

                                Even with and invalid (expired, wrong URL, etc) certificate, the connection is still encrypted, and if you know that you are connecting to your own home, you do not care in having company XYZ guarantee that you are connecting to your OWN HOME.

                                Issue a default certificate. Let those with the knowledge and desire create and install their own certificate, the remainder SSL users will have to live with three warnings in one page when they connect.

                                Certificates are smoke screens, all they do is having an institution guarantee that the connection you are making is to the endpoint that you are expecting and companies such as VeriSign or others just guarantee, for a handsome fee, that you are in fact connecting to the Website you are expecting and not some other passing as you financial institution, etc...

                                Most people don't really know how they work, and they think that if you have a warning or three there is a problem. If you are connecting to your Bank or broker THERE IS A PROBLEM!!, but if you are connecting to your own home, and you already know about the mismatch information causing the warning, you will still enjoy a SECURE link between the two endpoints.

                                Please release SSL, and let me know if I can be of any assistance.

                                Sorry if I sound passionated, but I am fed up with a lot of misinformation that companies that issue certificates take advantage of to push their products.
                                Last edited by Rene; October 7, 2005, 11:21 AM. Reason: misspelled word

                                Comment

                                Working...
                                X