Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


Fibaro GUI HTTPS instead of HTTP


antray

Recommended Posts

Hi,

 

 

I'm quite shocked that the GUI still is http only.

(and even more shocked that my report in bugzilla from december 2016 has not even been answered: 

Please login or register to see this link.

)

Does anybody know when can we expect https for accessing the GUI?

Also in private network connections, the access to the GUI (browser and/or mobile/tablet apps) should be using encrypted connections via https.

 

  • Thanks 1
Link to comment
Share on other sites

Hi guys!

 

GUI is not HTTP because it's a local connection within your LAN/WLAN network so it's as safe as your Wi-Fi. It doesn't leave your network.

 

However, there is still a way to access Home Center via HTTPS.

 

Please login or register to see this image.

Please login or register to see this attachment.

 

You can use home.fibaro.com, which is HTTPS enabled:

Please login or register to see this attachment.

 

 

Link to comment
Share on other sites

  • Topic Author
  • @I.Srodka

    Wow... Promoting home.fibaro.com as the way to use https...Really??? Why do I need access to the internet to manage my own device in a "secure" way...

     

    Even in my own network, communication should be secure. Security is not only for connections to the internet.

    You must realize that usernames and passwords are being sent over an unencrypted connection, device settings are sent unencrypted (have a look at another security issue without any response: 

    Please login or register to see this link.

    ).

    Even as I am managing my own network, issues are possible with vendor software causing a possibility of exposure to unauthorized people.

    With various controls in my network I minimize the risk of being compromised. HTTPS for any service in my network is one of those controls.

    I don't want to rely on only one control (as you mention the security of the wifi network).

     

    The https solution you provide (home.fibaro.com) is from my opinion introducing another risk instead of a solution.

    So still: 

    Also in private network connections, the access to the GUI (browser and/or mobile/tablet apps) should be using encrypted connections via https.

     

    Regards,

    Raymond.

    • Thanks 1
    Link to comment
    Share on other sites

    13 hours ago, I.Srodka said:

    GUI is not HTTP because it's a local connection within your LAN/WLAN network so it's as safe as your Wi-Fi. It doesn't leave your network.

     

     

    With Wi-Fi WPA2 security vulnerable to KRACK attacks that's simply not a sufficient response nor a sustainable solution.

    So +1 from my side as well, to get this fixed with some urgency within a reasonable timeframe.

    Link to comment
    Share on other sites

    • 1 month later...
  • Topic Author
  • On 30.12.2017 at 5:25 PM, abpostelnicu said:

    You can have https using a reverse proxy for fibaro gui like nginx. This is what I'm doing right now.

    There are a few issues with this setup... (yes, I have tried...)

    1. It works nice if you use the web interface only. The mobile/tablet app don't connect to the ssl proxy interface.

    2. Any device in the same network still has has the possibility to intercept traffic (including passwords) in plain text.

    3. If a vendor has an article about how to end users should keep their system secure, the vendor has to give an option to end users to have a secure system in the first place.

     

    So @I.Srodka @T.Konopka, when can we expect this security issue to be treated seriously and solved?

    To who within Fibaro should this issue be addressed, who needs to be convinced that this is a bigger issue than currently (more than one year) being handled?

     

    Regards...

    • Like 1
    Link to comment
    Share on other sites

    Well, HTTPs is nice to have.

     

    But 1st, i would like to have unified HTTP servers inside HC. HC2 is using appache and HCL is using nginx. So unified web server seems to be reasonable 1st step before doing anything with HTTPs on gateways.

    Link to comment
    Share on other sites

    From a resource perspective I'm sure HCL cannot do apache, not that matters but having HTTPS means using OpenSSL or LibreSS: or whatever flavour of ssl implementation that's available on posix, since HCL is using a debian distribution. Having this using a key of at least 2048bit is not feasible on a SoC that doesn't support NEON instruction set on ARM architecture. If i'm not mistaking HCL uses an A8 chip so concluding this is not doable in any scenario. So this is wishful thinking but in reality Fibaro is unable to have this on HCL.

     

    Now speaking about HC2, i think this is the board the Fibaro uses: DN2800MT this has an Atom N2800 CPU that doesn't have hardware AES support that means the cpu will be killed when generating the initial private key or when doing the handshakes to encrypt and decrypt data on different HTTPS methods, POST, GET, PUT, etc.

    • Like 1
    Link to comment
    Share on other sites

    On 30/12/2017 at 5:25 PM, abpostelnicu said:

    You can have https using a reverse proxy for fibaro gui like nginx. This is what I'm doing right now.

     

    Hi, I also implemented nginx on a raspberryPi but I also need to implement caching of js files because my HC2 is in a remote location with ADSL (600k uplink) and  losing HC2 main page goes in timeout since 4.140. So the idea is to have nginx in a location with fiber and VPN to remote location, similar  setup to home.fibaro.com but with certificate authentication instead of double password authentication which makes it very inconvenient

     

    Have you been able to implement caching on nginx? It yes, can you please share your config file?

     

    Thanks!

    R

    Link to comment
    Share on other sites

    1 hour ago, rcanetta said:

     

    Hi, I also implemented nginx on a raspberryPi but I also need to implement caching of js files because my HC2 is in a remote location with ADSL (600k uplink) and  losing HC2 main page goes in timeout since 4.140. So the idea is to have nginx in a location with fiber and VPN to remote location, similar  setup to home.fibaro.com but with certificate authentication instead of double password authentication which makes it very inconvenient

     

    Have you been able to implement caching on nginx? It yes, can you please share your config file?

     

    Thanks!

    R

    No I haven't used cache for reverse proxy, having cache enabled add some security risks.

    Link to comment
    Share on other sites

    • 1 year later...

    Greatings from germany :-)
     

    The following happened at my home. My wifi was hacked by a neighbor. You can learn how to do this on youtube. Look for kali linux WLAN hacking. I noticed this when the intruder played with my Fibaro Homecenter. He turned on the alarm when I was sitting in the living room. At first I thought that my kids kidding me.
     

    The following weekend somebody tried to break into my house. Thanks to the many motion detectors in the house, the intruder could see that nobody was in the house. Nevertheless, the intruder did not come into my house because I installed sturdy mechanical addons on all windows and doors.
     

    Please fibaro give us https!!!

    Link to comment
    Share on other sites

    W dniu 3.11.2017 o 10:11, I.Srodka napisał:

    Hi guys!

     

    GUI is not HTTP because it's a local connection within your LAN/WLAN network so it's as safe as your Wi-Fi. It doesn't leave your network.

     

    However, there is still a way to access Home Center via HTTPS.

     

    Please login or register to see this link.

    Please login or register to see this attachment.

     

    You can use home.fibaro.com, which is HTTPS enabled:

    Please login or register to see this attachment.

     

     

     

     

    That should be awarded with Golden Poo 2019 award for the craziest it security approach this year.

    Fibaro, HTTPS IS A MUST IN 2019. Stop stupid excuses. This needs to be known by industry how you approach security. This is UNACCEPTABLE.

    Please stop taking drugs and start being serious.

     

     

    Please login or register to see this attachment.

    Edited by justanuser
    • Thanks 2
    Link to comment
    Share on other sites

    8 hours ago, justanuser said:

    Please stop taking drugs and start being serious.

     

    Please, be a troll somewhere else if you can't provide us with any constructive feedback.

    Link to comment
    Share on other sites

  • Topic Author
  • 56 minutes ago, T.Konopka said:

     

    Please, be a troll somewhere else if you can't provide us with any constructive feedback.

    @T.Konopka

    ... But now as we have your attention and are talking about constructive feedback...

     

    Can you give us (users of your product) constructive feedback on

    - Why we still do not have https functionality on the web interface?

    - Why I did not get any response from Fibaro on valid remarks and questions (see my post on 2nd of January 2018 and 3rd November 2017)? 

     

    Is there a possibility that we can get a repsonse on these still not solved issues?

     

    Regards...

    Edited by antray
    • Like 1
    Link to comment
    Share on other sites

    1 minute ago, antray said:

    - Why we still do not have https functionality on the web interface?

    Because, it was not implemented yet.

     

    1 minute ago, antray said:

    - Why I did not get any response from Fibaro on valid remarks and questions (see my post on 2nd of January 2018 and 3rd November 2017)? 

    Apparently, admins did not have anything new to post regarding your feedback. Meaning, the admin's last post exhausted the topic from our side.

     

    I get it - you want the HTTPS in local connection - and sure, you have a good point as it is a security matter. I contacted the team regarding the case. I am waiting on a reply and I will get back to the post as soon as I receive one :)

    Link to comment
    Share on other sites

  • Topic Author
  • 4 minutes ago, T.Konopka said:

    Apparently, admins did not have anything new to post regarding your feedback. Meaning, the admin's last post exhausted the topic from our side.

     

    So there was really no possibility for feedback on my question "To who within Fibaro should this issue be addressed, who needs to be convinced that this is a bigger issue than currently (more than one year) being handled?" :?

     

    Quote

    I get it - you want the HTTPS in local connection - and sure, you have a good point as it is a security matter. I contacted the team regarding the case. I am waiting on a reply and I will get back to the post as soon as I receive one :)

    Great... Hope to hear from you soon ;-)

     

    Link to comment
    Share on other sites

    On 1/2/2018 at 1:22 AM, antray said:

    To who within Fibaro should this issue be addressed, who needs to be convinced that this is a bigger issue than currently (more than one year) being handled?

    As for now, I am the only admin on the Forum so I am sort of a messenger ;) (and remember not to kill the messenger!)

     

    The issue/request has been reported to the team responsible for BUI as they are responsible for implementation of features.

    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
    ×
    • Create New...