HTTPS / TLS aka: *secure* connections.

Posted on
Sun Jan 18, 2015 7:06 am
anode offline
Posts: 697
Joined: May 27, 2007
Location: NC

HTTPS / TLS aka: *secure* connections.

Unless I'm missing something, there is no HTTPS/TLS in the web server (and I'll assume clients too)

In this new world of The Internet of Insecure Things, not having the web server use TLS is scary for a system that runs your house and possibly alarm systems. Not to mention using it as a pivot point.

The old and tired meme of "Its my house, who'd even think to look for it" Ever look at your router logs??? CHUCK full of login attempts, port scans, etc.
Using geoip location I've seen most countries trying to get in to my system.

Even self signed certs or RSA ssh key pairs could be used.

HSTS would be optimal.

Posted on
Sun Jan 18, 2015 4:52 pm
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: HTTPS / TLS aka: *secure* connections.

If you use Indigo Reflectors, then the connection is secure. Connections on your local network are in the clear if that bothers you. We have a feature request to support HTTPS directly in the web server but no idea when we'll get to it.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Sun Apr 26, 2015 5:12 pm
Turribeach offline
Posts: 429
Joined: Feb 06, 2015
Location: London, UK

Re: HTTPS / TLS aka: *secure* connections.

+1 for this feature. Without HTTPS it will be virtually impossible to securely connect to my house while I am away. The only workaround I can see is to use VPN software to tunnel the connection in unsecured places such Hotel wifi networks. But that will only secure the connection up to the VPN provider servers and has a cost linked to the VPN account. For full security the only solution will be to run a VPN server at my home which is an overkill for this requirement.

Perhaps this requirement could be broken into 2?

1) Securing Indigo Touch 2 communication so it uses it's own secure channel rather than the Indigo Web Server.
2) Securing the Indigo Indigo Web Server with HTTPS.

Thanks!

Posted on
Sun Apr 26, 2015 6:14 pm
matt (support) offline
Site Admin
User avatar
Posts: 21411
Joined: Jan 27, 2003
Location: Texas

Re: HTTPS / TLS aka: *secure* connections.

Feature requests are noted, but this part:
Turribeach wrote:
Without HTTPS it will be virtually impossible to securely connect to my house while I am away.

is not accurate. If you use an Indigo reflector then it is secure (secure tunnel from Indigo Server to our hosted server, then HTTPS from our reflector server to your mobile device).

Image

Posted on
Sun Apr 26, 2015 6:30 pm
Turribeach offline
Posts: 429
Joined: Feb 06, 2015
Location: London, UK

Re: HTTPS / TLS aka: *secure* connections.

Oops, sorry, didn't know. Obviously I can see why some people may want to use the Indigo Reflectors service. In my case I chose Indigo because I didn't want any cloud solution for my home automation needs (or any solution that involved sending data to a third party) and I wanted to have a home alarm system that didn't incur a monthly fee. From your response it seems clear that IT2 already understands HTTPS so all I would need to do will be to setup a reverse HTTPS proxy on my Mac right?

Posted on
Sun Apr 26, 2015 6:53 pm
matt (support) offline
Site Admin
User avatar
Posts: 21411
Joined: Jan 27, 2003
Location: Texas

Re: HTTPS / TLS aka: *secure* connections.

Correct, see this forum thread:

viewtopic.php?t=6213&f=8#p38268

Image

Posted on
Sun Apr 26, 2015 7:00 pm
Turribeach offline
Posts: 429
Joined: Feb 06, 2015
Location: London, UK

Re: HTTPS / TLS aka: *secure* connections.

matt (support) wrote:
Correct, see this forum thread:

viewtopic.php?t=6213&f=8#p38268



Great! Thanks, more automation work for the holidays. :mrgreen:

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 3 guests

cron