Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


Fibaro GUI HTTPS instead of HTTP


antray

Recommended Posts

Guys, if you're looking at https to connect remotely, I think an even better option from security standpoint is implementing a reverse proxy on a raspberryPi and exposing it on a randomly chosen port - I'm using nginx for that, it runs very smoothly and I can keep it updated with the latest security patches. You can find an easy step-by-step guide here

Please login or register to see this link.

including how to generate public certificates. I'm thinking to add also ModSecurity for additional security but I'm not there yet (

Please login or register to see this link.

is a starting point if someone wants to try)

 

Ciao

R

Link to comment
Share on other sites

  • Topic Author
  • See my post of 2018-01-02... Reverse proxy has been tried, but it only functional for the Web GUI access... The mobile app does not do https if not connecting to remote access...

    So reverse proxy could be a workaround if you do not use the mobile app.

     

    Link to comment
    Share on other sites

    Hey Guys, this is a must have feature. Just use 

    Please login or register to see this link.

     to create free certificates on the server and enable https ONLY.

     

    +1

    • Thanks 2
    Link to comment
    Share on other sites

    W dniu 10.05.2019 o 11:26, T.Konopka napisał:

    I get it - you want the HTTPS in local connection - and sure, you have a good point as it is a security matter. I contacted the team regarding the case. I am waiting on a reply and I will get back to the post as soon as I receive one :)

     

    This was already reported back in 2017. This is a shame that Fibaro does not recognize obvious security matters claiming to be serious player of IoT market. Please name somebody that can make this important decision. This is a shame that access to the web interface of your products is not encrypted. And you are talking about constructive feedback? C'mon, it was already there in 2017 but you just don't care about BASIC things.

     

    (by the way just to let you know criticising Fibaro on that forum is punished with warnings from the Fibaro employees, unability to write for some time, you will also be called a troll).

    I guess that speaks for itself.

    Link to comment
    Share on other sites

    Yep 2017 what a time it was.....join the club of requesters....the admins pass it on...the developers ask permission... the management says NO...
     

    2019......Blablabl...blablabla...blablalaaa...BlaaBllaaaa....NO!

    2020........................................NO!

    • Thanks 1
    Link to comment
    Share on other sites

    @aNj , thanks for the input! ;) I will add it to my report!

     

    @justanuser , I refer you to this category

    Please login or register to see this link.

    - all your warnings came from this category. They had nothing to do with criticism of FIBARO which is actually kinda expected if consumers do not like something.

     

    And if in your opinion a comment

    Quote

    ...stop taking drugs...

    is a constructive feedback then I have nothing more to add.

     

     

    Link to comment
    Share on other sites

    The topic has been moved from "

    Please login or register to see this link.

    " to "

    Please login or register to see this link.

    ".

     

    Temat został przeniesiony z "

    Please login or register to see this link.

    " do "

    Please login or register to see this link.

    ".

    Link to comment
    Share on other sites

    • 2 months later...
    On 5/11/2019 at 5:54 PM, aNj said:

    Hey Guys, this is a must have feature. Just use 

    Please login or register to see this link.

     to create free certificates on the server and enable https ONLY.

    I love Let's Encrypt, and are using them alot..

    Probably not a solution that will work for most users - Your HC2 is hopefully not directly exposed to the internet, then you need to fiddle with NAT and firewall rules.. Not a task for the average Joe.

    You can have it as a option, but Self Signed certificates is probably the easiest way.

     

    I would also very much like to have HTTPS in the GUI please

     

    Link to comment
    Share on other sites

    On 11/3/2017 at 10:11 AM, I.Srodka said:

    Hi guys!

     

    GUI is not HTTP because it's a local connection within your LAN/WLAN network so it's as safe as your Wi-Fi. It doesn't leave your network.

     

    However, there is still a way to access Home Center via HTTPS.

     

    Please login or register to see this link.

    Please login or register to see this spoiler.

    Hi the big local LAN’s shoud be treated as internet. So the need for https is there. Also remote call from fibaro to internet need https option.

    Link to comment
    Share on other sites

    I agree that https is needed.

    Maybe a HC3 is coming soonish which could allow https and zwave plus.

    Link to comment
    Share on other sites

    Also I think https is a must. But also should be something easy for a simple user, for example I don't know what is a "reverse proxy" and how to configure

    Link to comment
    Share on other sites

    • 5 months later...

    @T.Konopka

     

    This topic has been going on for some years. I understand the request has been submitted as a suggestion. Companies that want to have a good reputation with customers typically respond with progress on where their requests and features are. Currently, there is no visibility into roadmap, or view on prioritised backlog of requests. There are many companies that publish the customer request pipeline proces. For example, "requested", "consideration for future", "planning to do", "implemented", "not doing" etc. With each one giving a clear reason why that status was chosen. The result is customers know where they stand and why.

     

    The only reason why you get verbal abuse from customers is their frustration in thr alck of any communication plan and support. The lack of thought in using customer support as a clear customer retention strategy is evident.

     

    I appreciate you are the middle man, and I can probably empathise with your situation of making the requests and potentially hitting a brick wall yourself, unable to make responses.

     

    However, when you are offering a product that promises the ability to automate your home, secure your home, protect your home and even by used by those who depend on it (because of disabilities) - showing a clear lack of care for what is a serious security issue is extremely disappointing. I wonder, if the chairman of Nice was using the technology fully and was hacked, what the response would be then?

     

    Does HC3 solve this problem?

     

     

    Link to comment
    Share on other sites

    Fibaro is listening to users and new HC3 have both HTTP and HTTPS. For HTTPS certificate is needed and it is possible to download it from interface, but for now there is some problem with that certificate missing ownership which browsers don't like, but I believe Fibaro will solve it hopefully in near future.

     

    For HC2 I don't expect they will ever add HTTPS, but again I might be wrong.

    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
    ×
    • Create New...