I don't know that there is a formal process or format. What I have done in the past is just to post a message in the "Feature Requests" category . . . probably tag Bruce for this kind of request (but they do a pretty good job of keeping an eye on this traffic).
Deal o .. will do
Thanks all
Nice to be in a forum of like minded thinking contributors....
Agreed :: actually itâs all based upon risk ... if the hub links to a few lights and dimmers thatâs one thing ... if itâs controlling your exterior door locks , furnace and other stuff thatâs a completely different thing ....
I have a number of hubs and have been using HA in one form or another for 5 years or more.
I would NEVER allow any home automation system to access my garage door or any external locks.
My alarm system is âstand-aloneâ and not HA connected. (With the exception of sending a message if the alarm is triggered)
Having said all that, I donât even enable authentication on my 7 hubs, although they are on a separate vlan.
If someone got past my Cisco firewalls and into my local lan then I think I would be worried about other things rather than my home automation.
My website does not currently use ssl but probably will by the time it is open.
Of course I would still recommend using a different password on my website than your bank account!
Andy
1 Like
Itâs an interesting conversation.... I bet we would find that many here have thought about security and done something to mitigate the risk ( ^^^ Cisco firewall + segmentation and risk limitation ) ... but we have an interest in this stuff .... itâs fun
Personally Iâd say
- just lights in a home ... no big deal at all ... should be secured but whatâs the worst that can happen
- locks / Door openers.... is a little different
I guess itâs all about how you use the system
Lol yea Financial sites differ but using different complex passwords for each account + a 3rd element such as text with a code or Googles/Microsoft Authenticator is belts and braces
Request made
Not sure how to tag someone in here .... how to I tag Bruce ?
Thanks for that
Anyhow the thought is out there now and glad Eric suggested a request be made ... better to ask than to sit around complaining !!!!!
While I do not disagree with this suggestion, I think your concerns are quite overblown. Hubitat is a consumer-grade appliance, not an enterprise command/control system. If a hacker has gained entrance to your home network, you have other more serious issues.. I would be far more worried about someone being able to get into one of my Macs or PC's and access my personal data, banking history, passwords, etc. Seriously, Hubitat would probably be the last thing I would worry about.
Enabling self-signed certs brings its own unique challenges, namely browser developers are making it more and more difficult for end users to understand and bypass invalid certificates. The warning messages alone are ominous and result in a very poor user experience.
Again, not arguing, but I cannot get past what sort of data would be valuable from my Hubitat environment. I'm not even worried about someone unlocking my doors. If someone wants access to my home bad enough, they will get in and simply break a window... It is a topic that's been discussed ad-nauseam.
The truth is, even with the hub locked down behind https, a hacker can still sit outside your home with the right Zigbee or Z-Wave toolset, and likely can still gain access to many of your connected devices.
Like I said, I do agree with this as an option.. But there are more pressing needs for this platform at the moment.. IMO, of course.
3 Likes
An opinion I concur with. I would much rather see resources devoted to finding a lasting solution to the hub instability issue that seems to have affected many HE owners.
3 Likes
Yea .... you make a very good point and I agree ....
lol all I wanted to do was find out where the âturn on HTTPS/TLSâ button was !!!!!!!!
3 Likes
I agree it's not a top priority but I think it should be on the list. Frankly, it's a best practice which should apply to any device that might be exposed to the internet. It has to be on a list or it won't get any thought or attention.
3 Likes
I would like to ask...what hacker is going to attack your Huibitat? Even if you clicked on that "1 email", what is going to happen to your hubitat? Wouldn't you be worried about your banking information? Stuff that is a little more common for people to have that is worth something to hackers.
Attacking your Hubitat doesn't make anyone money. Other than people looking to screw with people, like the jerks who scared people on their Ring cameras, there really is nothing to be gained by hacking your Hubitat.
1 Like
Well if you have geo fencing set up they get that however they already have ur internet gateway ip + other stuff so donât think itâs an issue...
so whatâs the real risK?
They lurk in the hub and turn on and off lights ? Not so bad .... delete all your automations .... not so bad at all .... send notifications repeatedly to somewhere hmmmmmm has been done before a few years back With appliances ( I think it was a large DDoS attack - very coordinated and organized - PR disaster for the tech company involved ) again impact is low For us and itâs a stretch to start with anyhow .... gut feeling is that the risk elevates if locks and door openers and or some other thing thatâs really important is connect and automated and that this is the less common exception ( mind u itâs not to hard install a compatible lock and integrate it ... not hard at all and people are doing it - ) + as pointed out above zigbee and Zwave could be compromised all on their own and nothing defeats the ârock thruthe windowâ approach...
in fairness and in most cases itâs going to be an inconvenience... that said we can put things in place to make it a little safer ... itâs like a cars safety belt ... you donât need it until you get in a crash and it does not guarantee survival sooooooo why wear it at all because we rarely get into crashes and itâs inconvenient = it reduces risk and improves survival rates significantly.... on the internet there are people trying to crash into you and take advantage of whatever they can ( generally they target the least secure and most easily accessed systems ( a time and effort equation ) so a key protection is to make a system difficult to break into and less appetizing which makes it much less likely to be successfully attacked ( improves survival rates )
Perhaps I am overly conservative but I consider any device sitting on my network to be a potential attack vector.
This is not going to happen. Unless you are a famous person, no one is going to hack your Home automation system to get into your house. They are just going to break a door down. This is an old debate. Locks/Security systems are deterrents that keep honest people honest. If someone wants into your house, they are going to get in. Period.
2 Likes
Yep agreed ... itS another surface to be leveraged ..... u can really spin out of control in paranoias though lol
Whether it is an important feature to me (or anyone else) or not is irrelevant. It's important to you, and you've done the right think by making a feature/enhancement request.
Good luck!
2 Likes
Yea man, security thru obscurity is an approach however if you can secure what you have better, why wouldnât you ?
The biggest reason imho is the browser ssl validation.. You wonât be able to get a valid certificate to an internal private ip..
HE doesnât need the additional support requests for browsers complaining about the âunsafeâ site
2 Likes
