hello cleaver people, please if you have the time can you please explain to me how to enable https and disable http so I have extra security. I am a very slow learner and will be nice but dim, please have patience with me. sorry to be a pest. I am a little worried about taking the next step and getting locked out of my hub.
Can you please give some background on what led you to pursue this option?
The "Hub Login Security" option (the page prior to this one) is often sufficient for most users's security concerns (including me), and that does not require this SSL Certificate step.
If you could explain your security concersn and goal, folsk here can help you with the best solution (which may be this, but may be not).
2 Likes
thank you for quick reply my friend. I am just worried about security with current levels of hacking and crazy things going on in the world. Its a private and local network, so not vulnerable from the lan
There really isn’t that much to be gained by encrypting the communication between your web browser and the hub’s administrative UI (which is what ssl does) if they are on the same local network in your home.
Although this line that you wrote is potentially confusing:
Did you mean LAN or WAN? LAN is local area network, WAN is wide area network (aka the internet).
2 Likes
Honestly those SSL options probably only exist for niche cases. There could be business environments where they do not allow any http connections for example.
Otherwise for http to be a concern within your home LAN, you would either have to expose your hub to the internet via DMZ or port forwarding, OR someone would need to hack into your LAN from the outside. In either of those cases unencrypted http traffic between a local PC and the hub are the least of your worries.
If you are concerned about someone on the LAN accessing the hub then turn on the hub security login. If you are concerned about someone on the local LAN then sniffing the http traffic and obtaining the login password, then maybe SSL would make sense in that case.
4 Likes
Sorry, I really am probably more dangerous around networking lol. I did mean LAN, I expose my devices externally using home kit and home Assistant. if I have that right
thank you for putting my worries at ease
If you expose your devices externally, you are exposing them to the WAN or Internet, from your LAN.
Not the best idea, but with Home Assistant using the NGINX SSL Proxy and tightened username and password, exposing to the internet is done (not saying it is the best idea) with a tunnel. But I would NOT suggest attempting the same with Hubitat. It has none of the hardening that comes with the NGINX on HA.
That may not have been the right term that the OP was looking for.
The Apple home app can’t literally expose devices to the internet (as I’m sure you know).
But it does make it possible to remotely access one’s devices while away from home (assuming one has a HomePod or Apple TV).
Home Assistant presumably could, since it can run on anything, and so it’s possible to expose the device it’s running on to the internet with a port forwarding rule, for example.
So @postmanjess it might be worth clarifying what you meant and how you’re accessing these devices remotely.
1 Like
If you have the HA subscription, you can use their mobile app to access your dashboards remotely. That would be my guess.
2 Likes
Another thing I noticed in the OP’s screenshots above is that there’s a “VPN” tag in the browser address bar.
So @postmanjess it might also be helpful if you can elaborate a bit on how you’ve integrated a VPN while doing your web browsing.
Is there a VPN service you subscribed to, for example for privacy reasons? Are you running a VPN server at home? Both? Neither?
I think you mean the built in vpn with opera its subscription so I don't have that one activated, I do use eero with the security package and that has a vpn for browsing, useful if watching a movie I cant get in uk. I also use Tailscale on all devices but haven't a clues of the advantage
I do have a HA subscription but I am new, I have just learned how to get snapshot from cameras to display on the tv but realised it was a http address for the snapshot, this made me worry if anything else was exposed and if I should learn how to set up a reverse proxy but they our above my head to be true. I will either work out how to do a https snapshot or put some crazy code on each http snapshot address
sorry for not being clear with my intention I was just concerned about security but I think habitat is secure
nginx seems too confusing for me at the moment I do have it and had a fiddle but think I may leave that one for now
Your post indicates some confusion between 'exposing' and what HTTPS does for you. You can be 'exposed' with both HTTP and HTTPS if someone can actively access your devices from the internet. Exposing anything to the internet is not advisable unless you understand how to properly harden the device. For example, even with HTTPS, I strongly advise against exposing your Hubitat hubs. They are simply not designed to handle attack vectors, regardless of your password.
What HTTPS does is prevent anyone from 'sniffing' the traffic between the client and server. It doesn't mean the server (hub) itself is actually secure.
With HA, the NGINX SSL Proxy is hardened and is used in the professional space to protect webservers. If you are not using that with HA, I wouldn't use anything that would allow access externally.
I dont think it does anything by itself, so probably no advantage.
Unless you mean when you are away from home you use Tailscale to stay connected to your home LAN, which could possibly have some advantages.
Honestly sounds like you are scared about security from useless media hype, and do not really know what you are doing. People who do know more about this, do far less. Personally I do almost nothing above and beyond. I have a standard home router, no extra firewall or anything besides a DNS ad blocker setup. Do not use a VPN for any normal activities, home or remote. Only thing I do is use very secure random passwords via KeePass and MFA logins when available.
But whatever makes you feel warm and fuzzy I guess... 
I think if you use the mobile app with the cloud subscription it has a cloud relay system much like Hubitat does. I would assume it is pretty secure, I have never read anywhere to avoid using it or anything.
Other than that, I agree you would not want to just simply expose the HA web UI login externally.
2 Likes
thank you for being such great support I feel much happier now I am not putting myself or anyone else at risk of being hacked, I will leave everything as it is and forget about Tailscale as I don't have any real use for it, plus hopefully learn how I might get adguard up and running maybe.. Thank you again have a great weekend
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
