Glad to hear it is potentially going to get an update! Of course, I use the linux version, so allowing SSL support for the client connections and remote web interface in linux would be great! It seems it should work, but when I tested it long ago I ran into complications with the MONO configuration. Maybe it was just needing to know the right config files to tweak.

I don't think that's right anymore. .NET Core is great for multiplatform development, and ASP.NET Core certainly exists. It's not exactly IIS, but it could be a great solution nonetheless.

Looks like HTTPS support has been dropped in the later builds.

I have to admit that I am very disappointed that we are in 2017 and support for secure communications has been deprecated with the system.

In my opinion, myHS is not acceptable as it is a hosted cloud solution. It is a unproven technology in terms of being secure until it is pen tested by a outside entity.

I would caution folks thinking that it is secure. It might be, it might not be. We have already seen occurrences for various odd users showing up in the user accounts table that somehow appeared in the system.

Not on purpose, it should still be in there.

I do plan on updating it, it uses older protocols.

MyHS is really the way to go, especially if you want to use voice services like Alexa and Google Home. All the work for those is done on the server.

Rich,
I opened another thread about a month ago on this topic as well. Are there any plans to have HSTouch support SSL certs? When I try to use one, HSTouch can't talk to HS3 directly anymore.

Not sure I follow what you are trying to do. The HSTouch connection is a simple TCP connection and it uses our own protocol. The user/pass are AES 128 bit encrypted. To use SSL for the connection would be a work item. I don't have plans to do this right now. If you use MYHS, the connection from our server to your PC is AES encrytped, including the data.

To do SSL from the client, would require work on all the clients.

We are still working on a totally new mobile app, which already does SSL for the connection.

If you are already working on something, that works for me.

Basically I have a cert sitting on my router for the HSTouch port. This acts as a proxy for all communication coming into my house to make sure it is secured. Cert doesn't need to sit on the client in this config.

Thanks Rich.

I was wrong and you are correct that the legacy HTTPS is still there. Please accept my apologies.

At some point soon, please do upgrade the HTTPS service to support the newer TLS based communications. It is my understanding that in general the industry has deprecated the legacy SSL based communications in favor of TLS.

Thank you!

I agree with what Rich has stated. It would be a lot of work to redo the straight TCP based HSTouch clients to use HTTPS.

If you are concerned (it makes sense) then I would implement a VPN solution and run HSTouch clients across that. I can help you with this if you're interested.

The SSL was implemented using third party code since SSL was not in .NET at the time we added it. It has since been added to .NET so its pretty easy now to create an SSL TCP server and I am doing it already in MyHS. Just need to move the code over. It probably won't take long to implement.

We need native HTTPS support!


Sweet. Would you please design the HSTOUCH replacement such that we can configure direct access to our systems using ssl/TLS encrypted Http connections and without the need for a cloud based solution to act as an intermediary service host? I too have a reverse proxy stood up at home, a subdomain I own, and an SSL cert that is publicly trusted. I would love to use for this specific scenario.



Sent from my iPhone using Tapatalk

While I second this request, I will point out that HSTOUCH can directly access your HS3 installation today. But not using SSL/TLS, which is perhaps what you meant?

We need native HTTPS support!



Fair enough, updated. I do have it enabled on my system, but am a bit unhappy with the AES-128 bit encryption and the fact that I can't pass the connection over port 443 along with my other services I make available on my reverse proxy.


Sent from my iPhone using Tapatalk

HomeSeer security is poor - and getting worse

20171217 Updates BELOW in GREEN.

I have to agree with Krumpy; I'm having a very significant cognitive dissonance problem with HomeSeer's approach to security. Customers (users) are controlling ever more important sensors and actuators while HomeSeer is actively removing security functionality out of the product.

1. Customers are controlling important things like water valves, door locks, alarm systems, thermostats, etc. These are real-world items with potentially expensive and painful real-world consequences if hacked.

2. HomeSeer has completely lost native SSL/TLS security on its management interface in the latest builds. It simply doesn't work. The login screen for the management interface on the HTTP port 80 interface says, and I quote: "Log in to <machinename>:80 Your password will be send unencrypted." I checked with WireShark, and yes - the credentials are being sent unencrypted. BETA build with SSL capability now available. Cool!

2a. I want to clarify here that I would NEVER recommend running HomeSeer directly connected to the Internet, with or without SSL, to anyone. In fact, I would recommend running exposing nothing except a well-known secure VPN exposed to the Internet. Consumer-grade software and hardware are very likely to be quickly hacked and taken. I have enough gizmos, gadgets, and guests, on my home network that I want to take reasonable due-diligence precautions to protect myself. I.E. Regular patching, antivirus everywhere, encrypted connections on all key services, etc.

3. HomeSeer doesn't run as a service. I have to leave a system always logged as a user. Its only protection? A screensaver. There is no technical reason that HomeSeer on Windows cannot run as a service. "Its Hard" is not an excuse.

4. Could someone please explain why the only "secure" way to access HomeSeer on my home network, from a phone on my home network, requires the Internet and a Cloud Service both be involved? I'm managing a computer less than 50 feet away on the same network! Its a HACK that adds several more failure points as well as significant unnecessary complexity for local access. Giving credit where due - MyHS is useful for remote access without a VPN. BETA build with SSL capability now available. Cool!

5. Just how secure is MyHS anyway? What testing has been done by third parties to verify the the MyHS service is actually secure? Can we see the documentation from the testing? I did a quick check, and the service still has weak/insecure ciphers enabled on https://myhs.homeseer.com
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
FIXED! TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE
FIXED! TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE

The Bottom Line: As a CISSP-ISSAP/ISSMP security professional and network architect/designer, I give Homeseer 2 out of 10 for security. Why 2 instead of zero? It has passwords and MyHS has SSL/TLS capability. As a paying customer, I'm not just unimpressed - I'm upset. I'm having to do special isolation and firewalled subnets on my home network to compensate for the poor security of the product. Security is a competitive differentiator. Get this done before your competition does.

I generally research a product thoroughly and ensure that it satisfies my needs before I purchase it. If I find that it falls short of my expectations I move on and purchase an alternative. What I generally do not do is make a purchase in the hope that at some time in the future it will meet my demands or demand that it should.

HA by nature is still a very experimental technology concept as it encompasses so many different technological elements and gathers them all under one umbrella. Some of those elements work well together and some do not. For example, we cannot expect to buy a switch, a timer or a valve in our local store and expect it to work with Homeseer out of the box without fully researching it.

While Homeseer does try to be all things to all people it will on some occasions fall short of these expectations. I have tried quite a number of the alternatives, Vera being one example and I can assure you that Homesser is head and shoulders above them. You could of course get your hands dirty and fire up the likes of openHAB and Domoticz, an open solution where you can experiment to your hearts content while contributing solutions at the same time. This could well be the way to go for the "experts" out there.

I for one prefer the Homeseer approach where the developers supply the solution and encourage contributions and suggestions from its users. Not all suggestions will be taken on board for various reasons be they for technical or asthetical reeasons but with community assistance solutions and workarounds can be found. Demanding that something should be implemented is not the way forward here.