When I log into my Hubitat Hub via the Chrome Brower, the upper left address bar says "Not Secure." I tried using the findmyhub process, but that also takes me to an unsecure site. Is there a way to make the Hubitat hub URL secure?
It's due to not using HTTPS to connect to the hub - thus the traffic is not encrypted using SSL/TLS. If you're on your local WiFi it's generally not an issue.
3 Likes
Seconding this advice. This is very common for devices that are only accessed locally (network printers, your router/modem, and likely other things on your LAN).
But HTTPS does work if you want to try -- it's buit-in with no extra effort required if you don't mind having to accept the self-signed certificate in your browser. Otherwise (as hinted at above), create one for your own for a hostname. To just do the former, navigate to https://192.168.x.x instead of http://192.168.x.x as you are now (Chrome hides the protocol until you click in to the address bar, but that's the difference).
But again, for a typical home network, this isn't a concern for most people. Chrome, and many modern browsers, are just increasingly aggressive at letting you know when something isn't HTTPS.
4 Likes
Thank you for the quick replies. I'm still getting unsecured access, even with https://
In "Settings" > "Hub Login Security" > I clicked on "SSL certificate configuration for HTTPS", and turned on "Hub UI SSL Only (HTTPS://)."
@672southmain was there something else I needed to do on the screens you shared?
This is yet another "aggressive" warning from Chrome, since the certificates are self-signed, instead of issued by a trusted Certificate Authority. You can manually import the certs into your browser: Working With Self-Signed Certificates in Chrome (Walkthrough Edition) | by David Gu | Medium - though even this is overkill and does not inherently improve your security. It technically protects you from someone on your local LAN spoofing your Hubitat (in an attempt to get your credentials) - as encountering a different certificate would again present the warning - but how likely is that? It's definitely over the top to shell out for a CA cert from a personal device.
5 Likes
Note: Hub Mesh won’t work with HTTPS turned on, or at least it still didn’t a few days ago, and I think the docs highlight this too.
As other have stated, HTTPS isn’t a huge concern on your local lan unless you have bigger issues.
Everything FROM the internet by default can’t directly see or talk directly anything on your 192.168.x.x private network, they see and talk to the public IP your ISP gives your modem/router/firewall which in turn talks to devices on your private network.
