Hubitat over HTTPS/SSL using Apache

Thank you @dman2306!

1. Pointing out a vunerability and saying add it to a list of things to consider, should be as simple as that. If it is a known venerability, I shouldn't have to justify the attack type.

2. Seeing a tutorial on an advanced setup and saying people have an interest in this wouldn't it be nice if the basic workings of this were availabe natively shouldn't bring negative feedback.

Many of the community users have a high skill level with technology. I have seen other post where someone has mentioned that x feature shouldn't be added because you can go get this other hardware and other software and some cloudsevice and then boom its done. And while many of love to tinker. Many don't or can't. Opinons on my free time and professional development not withstanding.

You cherry picked my quote and took it way out of context. I offered the alternative of a secure way to use the local dashboard.

Edit: in fact one could argue that my suggestion IS keeping it at home and secure more than cloud access

Back on to the original topic.

I don't want the hub to expose things over HTTPS. It would be really handy if it behaved better through a reverse proxy though. Just having the JavaScript use window.location.host and window.location.protocol when generating self links would be enough.

I'd actually prefer to do my own certificate and authentication, as my original post shows I'm using Google OAuth. I trust the security of my Google account WAY more than essentially any other auth option out there.

I just need the hub to play nice when being served on a different domain/port/protocol than it is aware of which isn't terribly hard for a web application to do.

At the risk of sounding defensive (hey, it is our baby!), this is not a supportable description of what happens.

If you look through our past release notes given with each release, you will find there is always a mix of new features, devices supported, app features, and numerous bug fixes, Most bugs are addressed promptly. Our focus it never solely on releasing "Product 2.0". There is always a balance.

And, there is always more to do. Your 10-40 hours is multiplied times over by the breadth of what Hubitat supports. We scramble as best we can to resolve weaknesses in the platform, and don't release things that may have, in your view, security weaknesses, mindlessly, without good reasons. It isn't perfect, it's not a perfect process, but it's better than any of our competitors do. We will always strive to improve Hubitat Elevation to the best of our abilities.

I predict that you won't leave Hubitat when you have more time, because you won't be able to find a better home automation platform to move to. At least, that is our ambition and goal.

I can respect that answer Bruce. And I do think in a lot of areas you guys have been great.

You in particular have helped me solve a few problems pretty quickly.

A roll your own soltution with something like HASS was something I was trying to stay away from. But if I need to roll my own reverse proxy and build system to sent SMTP emails and get the other features I want I suppose that might be where I go.

From some other post I have gleamed there are bigger changes coming in the following months.

We shall see if those are enough to keep me around.

Sending emails from the platform is the sort of feature that is more likely than less to be addressed.

If you had to choose between sending emails and having HTTPS, which would you choose?

This wording confuses my brain. Are you saying it’s likely something you’d add? I’d love to natively be able to send emails!

Ah, brain confusion -- I know it well!

Yes, we think sending emails is a cool thing we'd like to add.

Yes that is something I would like to see. I would like to see the cloud dashboard secuirty first.

And honestly if SMTP was available I would use it for notifications over things like the app. Which makes HTTPS less of a problem for me because with the app gone I can stop people from going to HTTP dashboards. Even if I cant control the cert a switch to force HTTPS redirect would be great start.

And hey you have file upload working. Whose to say that cant do cert management later on.

As I said the support team isnt my issue. It took me some time to seperate that out from the community members saying they don't want these things.

Just spitballing here, but could a quick and dirty solution be a virtual string shared via maker api, that has some polling code (script or compiled) hitting it that when content is found, it parses out the string and sends an email?

This is obviously not an idea solution but does it fix right now?

Looking for soemthing that doesn't require addtional hardware or extra cloud services. SMTP would allow me to tie into my current mail provider (mailbox.org) and send to my mailbox. Thus limmiting the cloud connections.

I have been doing custom hacked together cloudless home automations over a decade. I have a toddler and other hobbies. Im tired of updating multiple differnt devices, os patching and everything else. Was looking for one device to provide the level of automation and privacy/secuirty that I want. Hubitat is truthfully so close to that.

If Hubitat would support https on the app connection, or I could get notifications(without major cloud or addtional services) and drop the app. I could rest a bit easier. The dashboard sessioning is high on my list but I can live without it.

Do you consider Pushover a "major cloud service"? Something has to be in the cloud to get notifications.

I do... and I know that hubitat is in AWS and probaly uses FCM just like pushover does. Which is something I would rather avoid if could.

I worked in digital forensics for a period of time. Doing cellular and cloud forensics. I might be a little scarred from all the info that I know Google Apple and AWS complie

Which makes SMTP with TLS a great option. My mail provider GPGs all incoming messages with my key as it hits the mailstore

OK. Understood.

Of course, this makes you an outlier case -- but you already know that.

On that front, I know I am an outlier. And everywhere else I have seen SMTP brought up it has been stated as low priority(again probaly by the community not hubitat directly) as there are alternatives. The app twillio and pushover.

Email would be very cool. I'd love to be able to send a weekly email of battery levels. Also, because I'm a loser and just built an integration for my Withings Smart Scale and Sleep Mat, sending an email that shows me my weekly "health trends" or something. So I may well be an outlier in this!

One thing to consider on a business side, is that security, is like sex. It sells.

The whole IoT industry is front and center in the media and not in a good way. Article after article, of a smart home breach here, and there, and everywhere, is keeping a LOT of the public wary about taking the leap into smart tech.

People just don't trust it.

Sure, you have all of us STEM nerds lapping it up, but there is a much broader market out there.

I do CyberSecurity for Uncle Sam, and on the side, run a Smart Home Security Consulting business. By far, the biggest obstacle people have to taking the leap into Smart Home tech, is security. Rather, the lack of it.

This thread is full of looking inward, at the demands of the community, rather than outward, at expanding that community.

There is a large market out there that HA and Apple are eating up quickly, all because of security.

I completely understand that security is an investment. I also understand using ARO's and SLE's to balance the books when accepting risks. That's wise business, and really, it's responsible business. I work for the Government, so I'm spending tax payer money. I really need to make sure that the budget isn't abused. So, I get it.

You also have to consider what happens to business from a PR sense, if a few home networks are hit with HE hubs in them. Look at what happened to Ring. They took massive losses this last year over a few articles where homes were breached. It wasn't even Ring's fault! They weren't breached. The end user executed terrible security practices, and basically gave the robber the key to the door, then got mad at the door maker when he used it.

It didn't matter though. The media had a sensational, scary story, and they ran with it. Over and over and over.

This could happen here as well. Like it's been said here a lot. Security is mostly up to the end user. While that's true, that's not how it plays out in the perception of the real world. All they will see is that Hubitat got hacked and allowed access to a whole home. The poor children, and that poor single mom. Violated! Sob, cry, whine, sob.

Then the neighborhood Facebook group chats start going, "there is NO chance I'm putting any of that stuff in my house!" That, my friends, is market loss and all of IoT is feeling that right now.

The way you grab those consumers is to market security. It works for Apple. It works for HA. Security is the number one reason consumers list as why they use those ecosystems. Those are consumers that Hubitat should have. Could have!

My consulting job is mostly training tech illiterate people how to employ NIST security best practices in their home, so that they don't have to fear the use of these products, and can benefit from the real security they actually do provide.

All of that said, I love Hubitat and the community. You're not losing me any time soon, that's for sure!

(/lurk)

Talk about the pot (Farcebook users living in glass houses) calling the kettle (HA/IoT offerings) black!!!

(lurk)

How much did RIng lose last year?

If you're talking about all consumers generally, I completely agree that poor password practices are probably the biggest problem that needs to be "patched."

But Ring (the company) has also demonstrated a range of poor security practices that range from questionable to abhorrent.

I actually think that the largest share of the home IoT market is either ignorant of or disinterested in information security, but some companies like Apple (or Ring, or Amazon) have developed pretty effective marketing campaigns nonetheless that capitalize on that disinterest. Their commitment to improving and maximizing security/privacy (related, but not the same) will only be prioritized to the extent that consumers force the issue.

Oh I absolutely agree!

That's of the existing share of the market.

I'm talking about the rest of the market. The non-IoT consumers out there. The largest reason they cite, for avoiding IoT devices, is security.