As a developer of a couple of plugins, here is my $.02.

Hosting my own files allows me to do instant updates to the updater. Based on my experience of trying to set up a new plugin in the updater (even with me hosting it), it would take me from a week to two weeks to get any updates out if I were to let HS host it for me. I have no idea if this is how it is, but setting one initially up always takes me a week or longer.

I, personally, have absolutely no tracking on who hits that portion of my site though I have considered adding tracking to the zips merely for informational sake (see how many are trying it). My host may keep HTTP logs, but they would have no context to those requests. I believe the new Developer portal may solve many of these issues, but its not here yet.

If you force me to use SSL on my site, I will just be forced to go through HS to host my plugin (which likely won't be SSL either) and updates will be slow for the users. I just don't have a need for SSL on my hosting solution and I don't plan on adding it anytime soon or ever.

I understand the security concerns, and hopefully the developer portal will solve some or all these concerns, but only time will tell. I've never heard of anyone having any security issues ever with a plugin or linked back to HS via the self-hosted plugins. Not saying it couldn't happen, just that I don't think there has ever been a case.

Like I said, just my $.02

https://forums.homeseer.com/showthread.php?t=187549

This was an attack apparently targeting HS3 installations. One post (#9) speculated that a developer site could be the source of the breach. Not definitive obviously.

I'm of the same opinion or experience, if I want to push a new version of a plugin and I host it myself then it takes me 30 seconds to change a couple of files. I've still got a plugin that has not been added to the HS updater and I asked months ago, having HS host them which is clearly a manual process for them is likely to incur significant delays with me getting new releases out.

The thread below is why I speculate at the potential implications of having third parties host the plugins. If someone still had their server running on port 80 with default accounts then I could be in and shutting their HS system down in seconds. I might have been wild off the mark but I was not vetted when I added a plugin to the updater and if I had sinister intent then it would seem like a reasonable way of getting at least some data about peoples HS systems.

We have developed a new "Developer Portal" similar to what Apple and Google has available for their developers. The developer can log in, update their plugin description, upload plugin zip files, etc. It will allow them to publish updates to their plugin files as well as their descriptions. We had some delays getting it going but its being tested now with some developers and is just about ready to go live. Once live, the plugin files will be hosted on our server.

That sounds excellent and will surely improve both the security situation and performance.

Did you consider implementing a control in HS to disable all communication to find.homeseer.com and checkip.homeseer.com for those of us that do not use the MyHomeSeer service? I'd prefer that my system IP address not be constantly updated in a database at HST that could be stolen someday.

Awesome! Appreciate it Rich and Team!

It has always been up to the developer if they wanted to self host or have HS host. Even with HS2 I had made the decision to self host. The reason was that it could take several days before a new version was posted when it was hosted by HS. Made it hard to respond quickly to a bug. Since I already own a domain name for email purposes I can just post them there at no extra cost.

I don't charge for any of my plugins. I would have to stop providing them if it had been a requirement to purchase an SSL cert.
Fortunately, HS is coming up with a solution so that they can host and still allow the developer to post a new version quickly when needed.

I will consider, but if you have a system connected to the Internet, your IP is already logged by every web site or service you visit.

Note also that HS does not save your IP with either CheckIP or Find, the ip is saved in memory so you can find your system, but it is not saved to any permanent storage. I believe those services are not a concern.

I hate adding more config settings to HS as there are too many already. Maybe I can add it to the "Labs" tab in setup.

I suspect you have a fairly complex router, why not just block access to those 2 URL's there?

That's great news! Thanks much for the update. I assume then that the Portal would allow the rapid plugin turnaround that today drives many developers to host their own plugins?

I'm not a developer, and certainly don't have the background on the Portal, so just to be clear about its function let me ask:

1. Will ALL client updater to/from Portal communications be secure?
2. Will ALL plugins be required to use the Portal?
3. Will HS perform some kind of virus scan on the plugins as they are uploaded and before they are made available to be downloaded?
4. And last, what are the answers to the questions I should I be asking but don't know enough to ask?

Thanks again,
Gary

How about this? Apparently there is no check that a registration is originating from the network being added to. As an example, I made these "enhancements" to my results from outside my LAN (from phone with wifi off). The links work, BTW.

So if someone knows your outward facing IP, they can spam your find results

You don't want to do IP blocking -- right now find.homeseer.com, checkip.homeseer.com and updatercontrol.homeseer.com all resolve to the same thing. What you want to do is short-circuit the name lookup. I'd suggest trying to block it in the hosts file. On Windows, that's at %windir%\System32\drivers\etc\hosts. Add a couple of lines:

127.0.0.1 checkip.homeseer.com
127.0.0.1 find.homeseer.com

I was attempting to block access to checkip and find for anything on the network. This would include HSTouch clients. I don't know how they behave if MyHomeSeer isn't being used and didn't have time to investigate this. I changed my DNS server configuration such that there is no IP returned when a lookup is performed for checkip.homeseer.com and find.homeseer.com. Since all of my HS stuff points to this DNS server, I think it is covered. My public IP is no longer shown on the 'about' page. A DNS lookup of updatercontrol.homeseer.com returns the IP address and the updater seems to work at the moment.

I just edited the hosts file as that takes care of the main HS machine regardless of any downstream config. Thanks for the suggestion. I do have a secondary (public) DNS config. on the HS machine so the hosts entry is needed in case of fail-over.

A configuration option to block all of this would be much simpler as I would not have to keep abreast of any changes in the architecture of the HST network services.

Here do not utilize myhomeseer.com in Homeseer 3, Designer and HSTouch clients.

Homeseer 3 does still do a dynamic DNS resolution running with this stuff as there is no switch to shut it off. It was the same for Homeseer 2. None the less you can block the single port that HS uses for the dynamic DNS it utilizes. I used to and do not today.

Here did shift to using the firewall rather than the client for the rules sets. The firewall does change standard calls to DNS (using port 53) on the LAN to what is defined on the firewall. (using DNS resolver).

Also utilize PFSense PFBlockerNG which is a geoblocking plugin using Maxmind which works well. Current it is letting a few HS plugin IPs through which are on the Maxmind DB...

websitehome.co.uk
homeseer.du-pre.com
dubdubdub.domogeek.ca
bbmessenger.hobby-site.com
90.229.140.183
hsupdater.exdivio.com
dubdubdub.myautomatedhome.net