Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


DrPepper

HTTPS support...

Recommended Posts

Hello Fibaro team,

 

Internet as we speak is transforming towards more and more use of HTTPS and TSL.

 

My question is simply, is there a timeplan for HC2 to transfer from HTTP to HTTPS also on the local site access solution? I understand there can be difficulties with the certificates......

 

For example, I would prefer to send an HTTPS request to HC2 for starting scenes or altering status on a device, where username and password are protected with TSL transmission.

 

Kindly,

DrPepper

Share this post


Link to post
Share on other sites

Hi @DrPepper!

 

1 hour ago, DrPepper said:

I understand there can be difficulties with the certificates......

That's probable one of the reasons.

 

Moreover, encrypted connection could hinder communication with some third party devices and integrations. This would require some additional APIs, tokens and systems. 

 

Many of our integrations and plugins would require a rewrite.

 

I'm not saying it's impossible, but it's not likely anytime soon. 

 

I will forward your suggestion to the appropriate team.

 

Share this post


Link to post
Share on other sites

Hello,

 

4 minutes ago, I.Srodka said:

Moreover, encrypted connection could hinder communication with some third party devices and integrations. This would require some additional APIs, tokens and systems.

No mention of control Fibaro by different systems like Control4 and Crestron. I think that it would also turn down ImperiHome.

 

I think it is kind of fancy to have some asymetric encryption on the ends (phones/tablet <--> web server) than on the transmission. I think SHA-3 or RSA (ffels like cannon on the bugs), if we want to go high in security, could be more efficent.

 

And maybe it would not cost that much to rewrite plugins for that.

 

I believe here is nice simple analogy.

Please login or register to see this link.

Share this post


Link to post
Share on other sites
  • Topic Author
  • Hello all,

     

    Please note, I am not saying it is not going to be a challenge to implement it. And, I am not saying it's not going to come with a cost of some sort. However, if we look at last year and the disaster with the bot net Mirai utilizing IoT devices which had poor security on them, that's a situation no company with reputation would like to face.

     

    While we're on the subject though - there is of course an extension to this.....

    Looking at the amount of money spent on these systems, the investment is not that small.

    I am approaching something like 35 nodes in my Z-wave network and I'm just doing the basics, so the amount of money and time poured into this is starting to build up quite a bit.

    This means, the investment I make have to last longer.

    And, I'm not talking about the physical HW - they have limitations in terms of life too - I am talking about the SW security here.

    Not just on the HomeCenter2(/Lite) but also on the small devices in the z-wave-network. Gen5 is a step in the right direction with update capability, but, the unfortunate reality is that unless the physical device actually breaks, they would need a 10 year period (at least) of support for updates to ensure security.

    Please note, I am not asking you to comitt to that support situation today but, it's something most IoT companies need to start considering. Especially for devices which will have the "built-in situation" like in a house. I am just trying to offer a perspective which probably is different compared to many IoT-device-building companies out there.

     

    Another situation is the "Meltdown" and "Spectre" bugs on chip design level.

    I've yet to understand what PC main board I have in my HC2, and even less, if there is a BIOS upgrade for it or not, and how to do such a thing with the current lock-down of the HC2 device as such.

     

    In short, the whole chain needs to be secured and kept secured, over a longer time, at least when we look towards the future of IoT in general, where Home Automation is one of the parts. We all want to make our lifes easier - so we can spend more time doing things we like, rather than routine jobs. Security needs to be brought along too in this aspect.

     

    Kindly,

    DrPepper

    Edited by DrPepper
    Sentence correction..

    Share this post


    Link to post
    Share on other sites

    I second the proposal by DrPepper. HTTPS feels like standard nowadays.

     

    I hit a snug the other day related to this. I have develoloped my own Android app which fetches data from the HC2 api and it stopped working with Android 9 due to new security restrictions. Clear text HTTP is no longer permitted. And since HTTPS is not supported by HC2, I am a bit stuck.

     

    The Fibaro app is still working though, so I suppose it goes via https

    Please login or register to see this link.

     to interface my HC2.

     

     

     

     

     

     

    Share this post


    Link to post
    Share on other sites
    59 minutes ago, perjar said:

    And since HTTPS is not supported by HC2, I am a bit stuck.

    setup on rPI nginx and transform HTTP requests between your app and HC2.

    (it's joke)

     

    jokes aside we needing also support https and TLS2 (because TLS 1.0 and 1.1 is deprecated) in LUA level. 

    Fibaro support still answers me what https supporting on LUA level incomplete and disabled in VD at all.

     

    ¯\_(ツ)_/¯

    • Like 1

    Share this post


    Link to post
    Share on other sites

    Well, setting up a my rPi reversed proxy using NGINX is in fact what I am trying to do as a work around. Let's see if I can get it to work. :-)

    Share this post


    Link to post
    Share on other sites
    13 minutes ago, perjar said:

    Well, setting up a my rPi reversed proxy using NGINX is in fact what I am trying to do as a work around. Let's see if I can get it to work. :-)

    offtopic yeah!

    Please login or register to see this link.

     

    but it really works, I have before,  some years ago...

    UPD: 

    Please login or register to see this link.

    Share this post


    Link to post
    Share on other sites

    @10der  @perjar I use the same setup, and a "free" dns and certificate service aka nginx + duckdns + let's encrypt (using certbot to manage the setup).

     

    This guide is for HASS but can be used as a general guide for the setup of those 3 as well...

     

    Please login or register to see this link.

     

    TBH I do not use it for HC, but "for other stuff". 

    • Thanks 1

    Share this post


    Link to post
    Share on other sites

    Btw, today my home QNAP update ssl certificates automatically also it provide native free DNS. So, I am simple wrote IPTABLE rule for redirection 4443 port in to 80 port HC2 ... without rPI and Nginx 

     

    Please login or register to see this image.

     

    V2wGJ3yiIJ.png

     

    jjG2BlWYH5.png

    Edited by 10der
    • Like 1

    Share this post


    Link to post
    Share on other sites

    Does HC2 have LUA-level support for TLS1.2? A very important API that I use is moving from TLS 1.0 and I am wondering if my scene will continue working...

    Share this post


    Link to post
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


    ×
    ×
    • Create New...