I'm new and just getting started, but a couple of things concern me right off the bat. The hub UI is defaulted open on port 80 with no password\pin requirements. I have enabled the UI security and created a user, but that doesn't seem to give me hope that security is a focus.
Everything now days that works on the web should at a minimum have a default password and should run on 443 (https). Passwords and data should not be sent in clear text. Parts of the configuration in setting of things like Life360 and other apps ask that you enter in your username and passwords for these apps. I worry my credentials are not being encrypted.
The cloud dashboard link that was txted to me seems to be accessible to anyone that has the link. There's now login or pin to verify the user. So anyone that has that link can control devices in my house or view cameras if\when I get them added to the dashboards. This isn't good.
I like what I see from Hubitat so far, but with the amount of hacking and data breaches, platform security needs to be a bigger focus.
Unless you do some port forwarding or open your internal network to the outside world, you shouldn’t have to worry about anyone accessing HE hub.
Everything else on your network has more bidirectional open ports than the HE hub. If someone gets inside your home network or on one of your systems.... you got a lot more to worry about than your HE hub.
HE really doesn’t talk out of your network except on dynamic high ports to port 8883 for updates, app downloads, etc. If you choose to integrate things like Alexa or Google Home you’ll need it to talk out on at least port 443, maybe 80.
I don’t do cloud dashboards, but I’m going to assume they are decently secure enough not to fret over it.
I get it, but the solution shouldn't be just disable the functionality because its not secure. If you offer a function, it should be by default secure. Also, just because something is on your home network, it doesn't mean is secure. Example, if I walk into a bank, they still have the money locked up.
Your hub is, by default not accessible via the outside world unless you port forward it. Which we do not recommend at all.
You choose what you want to put on dashboard. And can secure it as you see fit. Only the cloud dashboard links are relayed via our secure cloud relay and not directly from your hub.
On your internal network, this isn’t as much of a big deal honestly. If you are concerned about someone sniffing traffic on your local network, then you have bigger issues.
I do know my local access is only going over port 443 though, can’t remember if I set something or not.
I log all HE traffic right now and I can’t recall the last time I saw any traffic go out to port 80. Anything that did wasn’t something to worry about.
Incorrect, if it isn’t accessible from outside the network and doesn’t talk out the network then the only way to access it is from inside the network.
No one is going to hit your HE hub on the private internal IP unless you are doing something very wrong.
Your bank example is bad, the HE hub isn’t wide open by a long shot.
I guess its a difference of opinion on security. For me, I don't leave much to chance even on my own network. In the rare instance someone was able to get on my network, they wouldn't be able to access or sniff anything due to additional security.
You mentioned I can secure the cloud dashboard as I see fit, does that mean I can put a username and password on it? I haven't made it that far on configuring, but some of these things were questions I initially had.
Any outside configuration calls would be done over https by default (as long as the service being called supports it). In that case, the credentials would be transmitted securely. If you hookup to an external service (say through a custom device or app), that doesn't support https by default, I don't see how that would be Hubitat's fault though.
As for local credential storage, I'm not sure if HE encrypts that locally or not. But, given the laser focus they have on access security on the platform, I seriously doubt they would be storing username/passwords in clear text in the local database.
The hubitat site you configure the settings on is on port 80. Clear text is being sent from my device accessing the hub site to the hub. The hub itself is probably using 443 to talk to the various services like Life360.
I want to point out, I'm not dogging the platform and I like what I see so far, it's just some observations and maybe some points that the developers might want to keep in mind for future releases.
Feel free to use https to access your hub. However since it is only accessible via a local ip address, the hub uses a self signed certificate to provide security and your browser will complain about it.
Trust me, there is no difference of opinion. I don’t have time to explain how tinfoil hat I am.
But there are facts, almost every home user is using NAT and a statefull firewall (if they know it or not). The HE hub doesn’t talk accessibly out of the network to begin with by default. There isn’t any massive vulnerability on the system (I’ve looked a bit).
If you think someone wouldn’t be able to sniff of access something IF they got on your network you’re wrong. There is always one thing that can start the dominoes falling.
Like I said there are far more insecure and vulnerable systems on most peoples’ home network that “could” put them at risk. Printers, old or rooted tablets/phones, random WiFi devices, HTPCs using random unverified streaming code or sources, etc, etc.
The other option is not to connect your HE to the internet or network other than for updates. It's a local processing hub. All your Z-wave/Zigbee devices will still be working.
You can also get a cheap router and just have HE and your dashboard locally without internet.
As already covered a few times, this is local to your network not out in the internet.
Don’t like it, use HTTPS, I do. But it’s not a big deal honestly unless for some random reason you are targeted by someone malicious or are unlucky. And the last thing to worry about is your HE username and password.
I hadn't tried using 443 yet, I'll do that when I get home. Self signed is ok, minor annoyance with the warning. I imagine Hubitat could push a signed cert to the hub to fix that issue. Is there a way to disable the port 80 and default it to 443?
Also, turning things off or not putting them on the internet is not really a solution for not securing something. Everything should be secured. There isn't really a reason not it.
I worry about all my things that connect and all my credentials, which is why i try to secure things to the best that I can. If my home network gets breached somehow. I'll feel better that the devices that have additional security are still secure. I'd only have to sweat the ones that aren't.
I don't want to go around and beat this dead horse. If the hub can be accessed via 443, then great. It would be nice to have a signed cert, maybe it'll come at a later time. Maybe later the http port 80 site could be turned off too. Also, if the dashboard can be password protected, then I'm good there too.
AFAIK no certificate authorities will sign a certificate for a private ip address.
