For local access am trying to figure out how to enable HTTPS access only at login to the hub... any ideas
Why: sending information across a network unprotected is not a great thing to be doing and user idās and password sent in the clear is a big No No even on a trusted and secure network ( and letās be honest many home networks are neither ) .... If a bad actor gained access to your network it would not be very hard capture the signin information and take control of your hub ( giving them access to all of your devices , potentially your actual home address , door automations and your presence status = keys to the kingdom )
AFAIK, there is no way within Hubitat's configuration to disable http. You could put your HE into its own VLAN and only forward https (and block http).
That would not be my highest concern if someone got access to my network. I'd be far more concerned about the security of my financial and banking information.
There are easier, non-invasive ways, for someone get my home address. And possibly my presence. And, as far as door automations go, kicking it in or coming in through a window are of much greater concern and likelyhood.
Security is a key element to any service these days , to be honest sending user ids and passwords in the clear and then operating on a non secure site is a very very bad thing to be doing ( Iām a ex developer , now in infrastructure and Infosec with CISSP accreditation = this is what I do ) .... at the very least Hubitat should inform the user regularly that this is whatās happening and not to use passwords that if revealed would compromise other things .... you are right about financial / pII thatās very important ( and in the majority to my knowledge most financial institutions are fairly sophisticated in this regard ) however this is also important 2 ( property and physical security )
As far as breaking down doors and so on ... personally if I were a hacker I would not be doing it ... I would sell on the Info and access and let someone else do it ... if I were a bad actor I would much prefer to roll up to a house in a van and for the doors to unlock and open for me + disable any security process vs actually having to break into a house the hard way, which generally gets attention from the neighbors ....
Itās not that the a bad action is likely , its that the access granted to a bad actor may be quite fundamentally important ( to take stuff or other - some use this to secure their home while away and while at home ) , equally important a bad actor could compromise and repurpose the hub to do something u donāt want to do
As is Hubitat .... As far as I can see, Hubitat is insecure and probably Should not be installed on a internet facing network without some form of network segmentation and firewalling .... which for the average joe is not a thing they would even consider.
While I clearly don't share your concerns, I have suggested a mechanism (placing the HE in a VLAN and only forwarding https to it) for you to allay them for your own Hubitat installation.
And what you describe of your background indicates you are amply capable of implementing something along those lines.
Local lan thought: yea I see what you are saying ..... assuming no devices on the network have not been compromised ( which sounds paranoid however 1 email , on click , and you are done ) and you are actively monitoring firewall activity !!!! And who the hell does that ...... lol
All Iām saying is that itās HTTPS is a fundamentally important protection ..... for local and remote accesses
Itās not really a debate guys itās a fact of life and industry base standard ( the lowest bar you should reach - hell Iād want https, uid , PWd and pin ) ..... if a it security firm evaluated this product it would fail before the gates opened ( no encryption opens u up to password loss, skimming of information , session hijacking etc .... ) + u canāt rely on the general punter to secure the perimeter every time ( or ever ) and I think it would be a fair expectation of a customer to expect a vendor provide industry standard protections ......
That all said I love the product and Iāll be firewalling and segmenting ....
Meanwhile, while waiting for the developers to make the change, you do what we've all done - you assess the risk and if you feel it is high enough, you put the vulnerable machines in a protected (from a network standpoint) environment. You will have a completely new set of challenges because so many of the home automation (and related) devices use broadcasts and discovery making a classic vlan and firewall approach challenging (but not impossible).
While making the request to Hubitat engineering, we should make sure that we can disable any connection that isn't TLS1.2. And should we request the option to require FIPS algorithms, too? Probably.
I don't know that there is a formal process or format. What I have done in the past is just to post a message in the "Feature Requests" category . . . probably tag Bruce for this kind of request (but they do a pretty good job of keeping an eye on this traffic).
Agreed :: actually itās all based upon risk ... if the hub links to a few lights and dimmers thatās one thing ... if itās controlling your exterior door locks , furnace and other stuff thatās a completely different thing ....
I have a number of hubs and have been using HA in one form or another for 5 years or more.
I would NEVER allow any home automation system to access my garage door or any external locks.
My alarm system is āstand-aloneā and not HA connected. (With the exception of sending a message if the alarm is triggered)
Having said all that, I donāt even enable authentication on my 7 hubs, although they are on a separate vlan.
If someone got past my Cisco firewalls and into my local lan then I think I would be worried about other things rather than my home automation.
My website does not currently use ssl but probably will by the time it is open.
Of course I would still recommend using a different password on my website than your bank account!
Itās an interesting conversation.... I bet we would find that many here have thought about security and done something to mitigate the risk ( ^^^ Cisco firewall + segmentation and risk limitation ) ... but we have an interest in this stuff .... itās fun
Personally Iād say
just lights in a home ... no big deal at all ... should be secured but whatās the worst that can happen
locks / Door openers.... is a little different
I guess itās all about how you use the system
Lol yea Financial sites differ but using different complex passwords for each account + a 3rd element such as text with a code or Googles/Microsoft Authenticator is belts and braces
While I do not disagree with this suggestion, I think your concerns are quite overblown. Hubitat is a consumer-grade appliance, not an enterprise command/control system. If a hacker has gained entrance to your home network, you have other more serious issues.. I would be far more worried about someone being able to get into one of my Macs or PC's and access my personal data, banking history, passwords, etc. Seriously, Hubitat would probably be the last thing I would worry about.
Enabling self-signed certs brings its own unique challenges, namely browser developers are making it more and more difficult for end users to understand and bypass invalid certificates. The warning messages alone are ominous and result in a very poor user experience.
Again, not arguing, but I cannot get past what sort of data would be valuable from my Hubitat environment. I'm not even worried about someone unlocking my doors. If someone wants access to my home bad enough, they will get in and simply break a window... It is a topic that's been discussed ad-nauseam.
The truth is, even with the hub locked down behind https, a hacker can still sit outside your home with the right Zigbee or Z-Wave toolset, and likely can still gain access to many of your connected devices.
Like I said, I do agree with this as an option.. But there are more pressing needs for this platform at the moment.. IMO, of course.
An opinion I concur with. I would much rather see resources devoted to finding a lasting solution to the hub instability issue that seems to have affected many HE owners.
I agree it's not a top priority but I think it should be on the list. Frankly, it's a best practice which should apply to any device that might be exposed to the internet. It has to be on a list or it won't get any thought or attention.
