Jump to content
Guides for the Forum ×
Poradniki na Forum ×

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


Guest Message by DevFuse
  • 0

Insecure authentication in HC2

ComputerScience

Asked by ComputerScience,

 Share

Question

ComputerScience    0

ComputerScience
Posted

Hi,

So I noticed that the Home Center 2 UI uses the HTTP method POST to transfer the username/password when a user is trying to authenticate (log in). This basically means that the username and passwords are sent in clear text. Free to be seen by anyone attached to the same network using a packet sniffer. I actually confirmed this statement using wireshark.

One could argue that if a user has access to the local network, he should also be able to access the home center. But this is not always the case. And this issue becomes more critical if the Home Center will be managing security tasks.

What's your opinion on this issue?

How to be solved?

I think adding HTTPS protocol as an option would solve this security issue.

And there is nothing to lose switching to https, especially not adding it as an alternative to HTTP.

5 answers to this question

Recommended Posts

  • 0

Guest ericf   

Guest ericf
Posted

HTTPS will use a little more resource ...

No not complicate to implement HTTPS on Apache ...

  • 0

ComputerScience    0

ComputerScience
  • Inquirer
    • Author
    Posted

    Well the resource difference is negligible in this case, especially as it goes over the local network.

    Nevertheless I found out that they already use HTTPS when accessing the HC from home.fibaro.com (over the internet) , so the implementation is already there.

    I suggest that they add HTTPS as an alternative, not as an replacement, to HTTP.

    • 0

    Guest Fidziu   

    Guest Fidziu
    Posted

    ComputerScience,

    Its not a problem we can put it in our time line, but we didnt focus on that becouse of local network.

    remote acces is encrypted.

    • 0

    Pascal    0

    Pascal
    Posted
    ComputerScience,

    Its not a problem we can put it in our time line, but we didnt focus on that becouse of local network.

    remote acces is encrypted.

    Hello Fidziu,

    My HC2 is shared on the internet so on my office i can connect on my HC2.

    I connect me to my HC2 with my domain name hc2.mydomain.com and this URL is forwarded to my external IP .

    The connexion to my HC2 is HTTP and not HTTPS and not secure .

    I think that with a update you can autorize the user to add his certificat to active the HTTPS to have a secure connexion .

    I not use the home.fibaro.com i use my domain name to my external IP .

    Kind regards

    Pascal

    • 0

    pooh    2

    pooh
    Posted

    yeah, it would be great if this feature can be prioritized.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Answer this question...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
     Share
    Go to question listing
    ×
    ×
    • Create New...