I look forward to seeing what improvements you have planned. I know dashboard access management is one aspect that could use some love in my book. One approach I use to secure systems at work is to leverage conditional access - basically rule machine for access:
You would define something like this:
- User(s): All
- Dashboard(s): All
- Location: US Only
- Method(s): Local & Authenticated Device (ie: Hubitat App)
- Result: Allow Access
I'm sure implementing something along these lines would take bit of work, as it does allow for a wide range of configuration options. That being said it allows users to poke smaller holes in their security defenses.
There are different kinds of security that should should be discussed, such as HTTPS/SSL. If we are serious about keeping our hubs secure we should be discussing them all.
HTTPS/SSL - This is transport security, and only protects information when it's being actively transferred between systems. This would be a good thing to have implemented, but I would place it lower on the list. Unless you are logging/logged into your hub it has no benefit. Even then the benefit is somewhat limited as the connection is local to your network.
The main risk here is malicious activity on your device/network, where it would be possible to capture and decrypt the traffic. If this is the case you have bigger issues that need to be addressed.
Device Encryption - This can be considered data-at-rest security, and focuses on protecting the data where it lives - your hub. Once again this would be something good to implement, but does have other implications. What happens if the device experiences a failure and needs to be recovered? Where is the encryption key stored, and how do you recover a headless device? You can't connect a keyboard/monitor to enter a recovery key. This would require a lot of effort to implement correctly, and have minimal benefit. If someone has physical access to a device they have total access to the device. Any security can be compromised given enough time, and let's be honest your bank account is more interesting than you home automation.
Remote Access - This is perhaps the biggest issues right now that does need to be addressed in some manner. The two main approaches people seem to take are 1) Setup a VPN 2) Configure Port Forwarding.
If someone is taking the time to setup a VPN for controlling their hub, that's a somewhat secure option. Depending on how it's configured the connection is secure from your device, to your home network - at which point all the same risks exist as not having remote access configured. If your VPN isn't configured well this could be a giant hole into your network, but this isn't a Hubitat issue specifically.
The more concerning approach is uses configuring port forwarding. It's just a giant hole for anyone who finds your IP address to walk right through to access your network. Or more specifically the device you configured in the forward. This is where device and transport security matter more, as the hub is now responsible for the security of your network. If I crack your hub I can use it to attack the rest of your network.
The best thing Hubitat can do here is just communicate the risks of configuring remote access and making it clear they are not responsible for the end results. If you the power user is configuring remote access, you should be taking steps to improve your network security. How can you create a more secure connection to your network - as that's ultimately what you are doing.
Device Security - I think this is the area Hubitat could focus on some. One of the basic security principles drilled into everyone's head is to keep your devices updated. Given we lack access to our hubs, we are entirely dependent on Hubitat to implement security best practices. How is the underlying operating system updated, how is SSH access secured, how is the system accessed, etc. Yes - Hubitat provides updates, however I suspect these are largely focused on the software itself. If they are also updating the underlying operating system that could likely be better communicated.
In short, there is work that can and should be done to improve security. That being said more of the work falls on us - the users. Hubitat can certainly take some steps to help, but most of it falls outside their hands.