Announcement

Collapse
No announcement yet.

Security/Https & HSTouch

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security/Https & HSTouch

    Many people are concerned about security and people who are not should be. There have been threads regarding HTTPS which is a great solution. However, because HS3 is hosted locally, which is the main reason I chose HS over cloud solutions, HTTPS has to be implemented locally. It's a pain to do this and if you don't want a self-signed certificate you need to spend more money and more importantly updates/maintenance.

    Considering this, isn't MyHS combined with HSTouch the right solution as I believe HSTouch is encrypting all traffic. Doesn't that cover all the concerns or what am I missing?

    Actually, there is one issue that I think MyHS/HSTouch doesn't address. You can't really access local resources. For instance, I have custom websites on the same computer HS is hosted on. I would like to access those resources through MyHS so they are encrypted.

    #2
    One of the big draws of HS3 is independence from cloud hosted services. If you rely on MyHS then you've put yourself back at the mercy of cloud hosting. Not to the same extent as something like smart things mind you.

    I use a pfsense firewall with the HAProxy plugin, this acts as my router and a reverse proxy for publishing HS as well as other services to the web. I'm currently using a self signed cert with the root CA imported on my devices, however you could use the Let's Encrypt plugin to publish with publicly trusted SSL certs. I've been meaning to do this, just haven't gotten around to it.

    Yes HSTouch is encrypted but I'm not sure to what extent (cipher suite? Is all traffic encrypted or just authentication?), personally I'm not a fan of the default interface. Yes I know it's meant to be customised but I don't have that kind of patience, not when HSBuddy is as good as it is out of the box. Plus I can SSL wrapper HSBuddy.

    Comment


      #3
      Rich has stated multiple times that only the username and password for the HSTouch authentication is encrypted, all other data is plain text.

      You can see this for yourself by installing Wireshark and preforming a capture.

      Personally I wouldn't use HSTouch outside the LAN, and real security minded people would probably not trust that.

      My 2 cents.
      Last edited by mterry63; June 23, 2018, 02:20 PM.

      Comment


        #4
        Agree with you 100%. When I need to get in remotely I fire up VPN on my devices. Didn't cost me anything since my router supports it.

        When it comes to HSTouch the one thing that missing is a really good graphics library. I would say that 99% of the people don't have the ability to create graphics. Without good graphics it's hard to create a good HSTouch interface.

        It's muy understanding that it's basically impossible to pass around good interfaces for others to use. Hopefully I wrong about that it's just what I read once.

        Lastly, It would be great if HSTouch designer, and all the other support programs, were platform independent, just as HS3 is, as not everyone uses windows.
        HomeSeer Version: HS3 Standard Edition 3.0.0.548
        Linux version: Linux auto 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
        Number of Devices: 484 | Number of Events: 776

        Enabled Plug-Ins: 3.0.0.13: AirplaySpeak | 2.0.61.0: BLBackup
        3.0.0.70: EasyTrigger | 1.3.7006.42100: LiftMaster MyQ
        4.2.3.0: mcsMQTT | 3.0.0.53: PHLocation2 | 0.0.0.47: Pushover 3P
        3.0.0.16: RaspberryIO | 3.0.1.262: Z-Wave

        Z-Net version: 1.0.23 for Inclusion Nodes
        SmartStick+: 6.04 (ZDK 6.81.3) on Server

        Comment


          #5
          Oh, that's bad. I thought that all the traffic is encrypted. Well, I will have to rethink everything then. VPN is kind of out of question (nothing technical) so maybe I have to reconsider a self-signed SSL. What a bummer.

          Comment


            #6
            Mterry63 said "Rich has stated multiple times that only the username and password for the HSTouch authentication is encrypted, all other data is plain text. "

            I did some more research and found the following from rjh
            https://forums.homeseer.com/showpost...9&postcount=96

            It says the data is encrypted, too. So let's say I have a text field with an URL (for a video feed). That URL includes the username and password. Would that also be encrypted because the URL is data from HSTouch (but not the video data itself, I assume).

            Comment


              #7
              Originally posted by mulu View Post
              Mterry63 said "Rich has stated multiple times that only the username and password for the HSTouch authentication is encrypted, all other data is plain text. "

              I did some more research and found the following from rjh
              https://forums.homeseer.com/showpost...9&postcount=96

              It says the data is encrypted, too. So let's say I have a text field with an URL (for a video feed). That URL includes the username and password. Would that also be encrypted because the URL is data from HSTouch (but not the video data itself, I assume).
              I don't read it that way. The post says "The HSTouch connection is a simple TCP connection and it uses our own protocol. The user/pass are AES 128 bit encrypted. To use SSL for the connection would be a work item. I don't have plans to do this right now. ... To do SSL from the client, would require work on all the clients. "
              This indicates that the HSTouch protocol encrypts only the login credentials.
              Further, "If you use MYHS, the connection from our server to your PC is AES encrytped, including the data." I take this to mean using MyHS in a web browser, not HSTouch.

              Comment


                #8
                Ah, MyHS in a web browser. I didn't think of that. So I guess I have to set up my own proxy and SSL. Bummer!

                Comment


                  #9
                  Last edited by Kerat; June 26, 2018, 02:14 PM.

                  Comment


                    #10
                    Kerat, this setup sounds interesting but not trivial to set up. In any case, why are you using PFSense vs. something like stunnel? It's my understanding that PFSense is primarily a firewall/router with the option for SSL encryption. stunnel in contrast is just SSL encryption. Or do I get this wrong?
                    I was thinking of using stunnel and a self-signed SLL certificate to start with. Then I would use one port for HSTouch and one for BI (and another one for audio streaming). From what I read stunnel can be configured and a fairly similar way like PFSense. Btw, for me everything will run on the same computer. I have no plans to distribute the load over multiple computers and I probably will not even use virtual machines.

                    Comment

                    Working...
                    X