Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #46
    Originally posted by Kerat View Post
    So, I am trying to work on a way to get a reverse proxy configured with an SSL cert to allow https support on my Emby media player. If it works I will update to the latest version .312 and try getting HS added to this.
    I've successfully set up nginx with this purpose as mentioned in the first post. It works really well.

    But I still consider it as a band aid on what should be there right out of the box.
    HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
    Running on Windows 10 (64) virtualized
    on ESXi (Fujitsu Primergy TX150 S8).
    WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

    Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

    Comment


      #47
      Originally posted by Moskus View Post
      I've successfully set up nginx with this purpose as mentioned in the first post. It works really well.



      But I still consider it as a band aid on what should be there right out of the box.


      Hm. I'll try looking at this at some point.

      Comment


        #48
        I had been using Stunnel and self-signed certificate to create HTTPS connections into HS3. It worked well but the encryption created CPU load on my old laptop. I eventually removed it and closed the outside ports, relying on HSTouch and MyHS.

        While Self-Signed certificates are not as secure as signed ones they do have value because the data is encrypted and snoopers can't see any clear login credentials. Using them is better than clear text.

        I understand your points about the value of MyHS but I'm one of those who like to keep my things local and independent and 100% within my control. Still, having the secure option of MyHS is good. -Rick

        Comment


          #49
          Originally posted by Archcantor View Post
          While Self-Signed certificates are not as secure as signed ones they do have value because the data is encrypted and snoopers can't see any clear login credentials. Using them is better than clear text.
          Yes, exactly! If it is a matter of encryption or no encryption for web traffic, there really should be no debate.
          HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
          Running on Windows 10 (64) virtualized
          on ESXi (Fujitsu Primergy TX150 S8).
          WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

          Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

          Comment


            #50
            There does not seem to be any debate anymore. Just silence with head in the sand. If more people would be concerned then there would be more action. Why should the software developers focus on this when not sufficient numbers of people care?

            The ultimate problem is that people don't care about security until they are compromised. Then they scream how can this happen. Most people don't want to invest the time and energy in their security posture until it is too late.

            It is not a matter of "if" but rather "when".. Myhs will become compromised if the appropriate due diligence is not practiced. Then there is a good chance that systems using this service will be impacted. We just don't know yet how they will be impacted...

            As it stands, the current HTTPS server helps somewhat, but ultimately I figure that it is ridden with security holes as the underlying technology does not appear to be maintained and patched.
            HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

            Comment


              #51
              Originally posted by rjh View Post
              The local web interface is not going away, you will always be able to manage your system locally, without an Internet connection.
              And it should stay but HTTPS should be added as well.

              Originally posted by rjh View Post
              You really cannot use SSL securely without a domain. Sure you can create a self signed cert, but that is not really secure.
              I have to disagree with your statement. A self signed cert is just as secure as a signed one for protecting the data. Any cert, be it signed or unsigned, will protect the connection and the data crossing it but only signed confirms the identity of the site you're connecting to. VPN connections are not signed but they secure just as well.

              To put it in other words. If I'm running a e-commerce server I MUST have a signed cert or my customers will not know if it's really me they are connecting to. For my own personal server that only my family connects to a self signed cert protects just as well as signed.

              Originally posted by rjh View Post
              I don't know why there is a push back on MyHS, we have made it very reliable (I use it every day), and it uses SSL, and its free. Why should we provide yet another secure solution for accessing your home system? That is so complicated that only the really technical can use it?
              So when I'm away from home my connection to MyHS is secure but is the connection between MyHS and my controller at home secure or is it running in the clear?

              Originally posted by rjh View Post
              There are bunch of free tunneling apps out there that you can run on your PC and it will allow you to securely tunnel into your home system. Also, as mentioned, you can use a VPN. So there are solutions available for the technically minded.
              VPN has always been my preferred way to communicate between my home and my remote devices but one should never leave HTTPS out of the picture.

              Originally posted by Moskus View Post
              I still think we need a proper SSL supported web server. You can even get free fully qualified certificates these days (take a look at letsencrypt.org), so there really aren't any excuses. We ARE in 2017, everything should be using SSL.
              I'll have to check them out and I agree EVERYTHING should be using SSL especially when it's going into and out of your home.
              Last edited by Timon; May 22, 2017, 01:47 PM.
              HomeSeer Version: HS3 Standard Edition 3.0.0.548
              Linux version: Linux auto 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
              Number of Devices: 484 | Number of Events: 776

              Enabled Plug-Ins: 3.0.0.13: AirplaySpeak | 2.0.61.0: BLBackup
              3.0.0.70: EasyTrigger | 1.3.7006.42100: LiftMaster MyQ
              4.2.3.0: mcsMQTT | 3.0.0.53: PHLocation2 | 0.0.0.47: Pushover 3P
              3.0.0.16: RaspberryIO | 3.0.1.262: Z-Wave

              Z-Net version: 1.0.23 for Inclusion Nodes
              SmartStick+: 6.04 (ZDK 6.81.3) on Server

              Comment


                #52
                Originally posted by Timon View Post
                I have to disagree with that statement. A self signed cert is just as secure as a signed one for protecting the data. Any cert, be it signed or unsigned, will protect the connection and the data crossing it but only signed confirms the identity of the site you're connecting to. VPN connections are not signed but they secure just as well.
                THIS!
                HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                Running on Windows 10 (64) virtualized
                on ESXi (Fujitsu Primergy TX150 S8).
                WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                Comment


                  #53
                  yes, HTTPS please

                  I agree 100%, HTTPS is a basic expectation of secure external access via the internet. VPN has it's place but should not be a necessity for a simple web interface or as a workaround for a lack of implementation of a basic feature.

                  As an example, Emby media server is exposed to the internet, supports HTTPS external access and also has the native ability to run as a windows service on boot, no user login required.

                  Comment


                    #54
                    We need native HTTPS support!

                    Originally posted by Moskus View Post
                    I've successfully set up nginx with this purpose as mentioned in the first post. It works really well.



                    But I still consider it as a band aid on what should be there right out of the box.

                    I am fortunate, I have a PFsense firewall that is very flexible. I have my reverse proxy (HAproxy package in PFSense) setup using a few subdomains under my registered domain. To get to my home I have a A+ public DNS record that is updated by my dynamic DNS package in PFSense. I have a few CNAME records that point to my A+ records.
                    I use the ACME Let's encrypt package for PFsense to manage and automate the updating of my SSL certificates for each of my subdomains. I had to add a custom TXT record to my public DNS for each SSL.
                    Everything seems to be working like a champ. My next step is to harden my setup:

                    1. Get client certificate authorization configured in the HAproxy client, in order to ensure that only devices I decide can access my HAproxy front end in the first place.

                    2. ensure that I am using all the security best practices in my setup.

                    3. Figure out how to get a log configured to enumerate what IP addresses are attempting to access my system what region they are in.


                    Sent from my iPhone using Tapatalk

                    Comment


                      #55
                      Could we have a South African server then too please?

                      Setting aside the political objections to having all of my traffic having to traverse a network in the US.

                      Page load time direct: 3s
                      Page load time using MyHS from South Africa: 32s!!

                      I'm sorry, but I find it very parochial to assume that MyHS is the panacea for everyone just because the majority of your user base is in the USA.

                      As for VPN access, having to establish a VPN to my home network from my phone every time I want to access HS is just not a feasible solution.

                      Oh, and the "use HS Touch" response is also unacceptable given the fact that it's buggy, incomplete and not receiving the development attention it deserves these days.
                      Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin

                      Comment


                        #56
                        My understanding of HTTPS is that it does not provide security protection as you are expecting. Rather it encrypts the communication between the client and the server. This prevents the data from passing in clear text over the internet. HTTPS will not directly protect your HS system from being compromised. It would prevent someone from possibly capturing your HS id and password as it passed between your client and server.

                        The SSL Certificate is to warn the user that you are indeed directly communicating to the intended server. However, there are (weekly) new methods attackers are using to trick you into going to fake sites to capture your login credentials. Here is a recent issue fixed in some modern web browsers, but recently in Chome (https://9to5mac.com/2017/04/20/how-t...ke-apple-site/)

                        If there are security related vulnerability "bugs" in HS, those bugs would allow it to be compromised irregardless of HTTP or HTTPS. HTTPS would just mean that the attackers communication would be encrypted between their client and your HS system.

                        Real security protections rely on the HS application developers and your network/firewall/user account management.

                        User account management would entail setting up HSTouch, internet use only accounts, etc that do not have administrative privileges.

                        Having additional built-in security related options such as system event triggers leveraging the current event engine or notifications on new account creation or changes, and remote logins would greatly reduce the affects of a compromise.

                        When the HS log was still text (HS2), I wrote a simple perl script that monitored the text log for remote log-ins and notified me (email on phone). I've lost that ability in HS3 as the log is now a sqllite database. I have the base code changed but never implemented to query the database as I was focused on a windows to linux HS3 migration and plan to address on linux. However a built in capability to notify and admin email address simplify this for all.
                        Len


                        HomeSeer Version: HS3 Pro Edition 3.0.0.435
                        Linux version: Linux homeseer Ubuntu 16.04 x86_64
                        Number of Devices: 633
                        Number of Events: 773

                        Enabled Plug-Ins
                        2.0.54.0: BLBackup
                        2.0.40.0: BLLAN
                        3.0.0.48: EasyTrigger
                        30.0.0.36: RFXCOM
                        3.0.6.2: SDJ-Health
                        3.0.0.87: weatherXML
                        3.0.1.190: Z-Wave

                        Comment


                          #57
                          HTTPS is exactly the encryption I'm looking for to ensure not my credentials and hone automation commands are not sent in clear text. To help limit the possibility of man-in-the middle and other injection attacks https goes a long way.

                          I fully agree that other means are necessary to identify possible compromises of the system.

                          A great too that helped with that is Jon00's Whois plugin. But again, because I don't live in the USA that plugin won't work because my log format lists the date differently and HST won't address the bug.

                          I thin this thread was started to try to highlight the need for SSL support and remind HST that many of us invested in this platform because if the openness and flexibility it offered. It very much feels like that's being taken away and we're being forced into compromised alternatives.


                          Sent from my iPhone using Tapatalk
                          Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin

                          Comment


                            #58
                            Originally posted by beerygaz View Post
                            Could we have a South African server then too please?

                            Setting aside the political objections to having all of my traffic having to traverse a network in the US.

                            Page load time direct: 3s
                            Page load time using MyHS from South Africa: 32s!!

                            I'm sorry, but I find it very parochial to assume that MyHS is the panacea for everyone just because the majority of your user base is in the USA.

                            As for VPN access, having to establish a VPN to my home network from my phone every time I want to access HS is just not a feasible solution.

                            Oh, and the "use HS Touch" response is also unacceptable given the fact that it's buggy, incomplete and not receiving the development attention it deserves these days.
                            These are all valid points. However, if the desire is to use the web interface remotely (instead of HSTouch), this *appears* to be available via HTTPS in the network settings tab. I tried it, but had not yet created a security certificate so Firefox for Android rejected it.

                            Comment


                              #59
                              Nah, set it up and HS3 barfs up when trying to start the secure server. If HST just fixed what used to work in HS2, even with self-signed certs it would be a start.

                              HSTouch is plain text too. The JSON interface is an amazing tool, but also plain text (unless via MyHS).


                              Sent from my iPhone using Tapatalk
                              Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin

                              Comment


                                #60
                                Originally posted by beerygaz View Post
                                Nah, set it up and HS3 barfs up when trying to start the secure server. If HST just fixed what used to work in HS2, even with self-signed certs it would be a start.

                                HSTouch is plain text too. The JSON interface is an amazing tool, but also plain text (unless via MyHS).
                                You just saved me an hour of useless computer fiddling, thanks. As useful as Homeseer is, these are some important features that need to be addressed. By it's nature, the user base is largely technically literate and can at least operate their own computer network. The expectation of direct, secure external access is completely reasonable and consistent with the intended use and user base of the software.

                                Comment

                                Working...
                                X