not being very secure probably, but, since we have this boolean, do people use it to toggle it based on home presence?
I mean, when at home, we don’t need external connection in the first place?
how would that workout with cloud tts… hmm
Frenck you keep using this lingo.
rotating indicates circling between various existing username/pw combinations.
While you probably need to say: change your existing username/pw (delete the existing and create new) ?
this blog was the 1st to popup and seems very admin centered, https://www.ibm.com/cloud/blog/how-to-enhance-security-by-rotating-service-credentials and should probably also be implemented somehow in the NC connection panel?
Notify the user to adjust. And what exactly.
But DuckDNS is on the Public Suffix List https://publicsuffix.org/ so you have to search for the subdomain like https://crt.sh/?Identity=sylvain-maison.duckdns.org&deduplicate=Y to get results.
Searching for duckdns.org only shows results from the time before the inclusion in the list.
Perhaps @frenck should get ui.nabu.casa on the list too.
EDIT: Sorry, I didn’t see that it is in fact on the publicsuffix list and no new hostnames have been logged in the last 4 years. Thanks @CentralCommand for correcting me. 
1 Like
That is fairly easy to answer. Each Home Assistant instance using NC creates and has its own certificates, locally. This means all traffic, is end-to-end encrypted. As your instance is the only one that has the secret parts of the certificate.
This is the reason why NC markets as a “secure remote connection”. It provides an SSL-encrypted connection, to your instance, which is end-to-end encrypted. NC cannot view the traffic either. Even if NC would ever have a security incident, there is nobody that can get in between your traffic.
This is not possible with wildcard certificates.
Above all, it makes stuff just easier, as no port forwarding and router fiddling is needed. Some have been shouting: Cloudflare! Sure, that is an option and also a great service (I’m a paying customer myself for many other things as well). However, CloudFlare is not end-to-end encrypted when using it as a proxied service. Is that bad? No? Depends, it is all about choices.
3 Likes
Right, should have used a better example to make my points hehe (should have drank my morning coffee first). The gist of my response, however, remains the same. There is no such thing as a non-public, public domain. You may try to hide… But you have to assume they’ll find you 
2 Likes
So is the fix for this Supervisor vulnerability the reason why my HA API rest sensors no longer work?
https://community.home-assistant.io/t/2023-3-dialogs/541999/311
We added hardening, but that should just have worked I guess. Maybe raise an issue in GitHub, so we can take a look.
We also found an issue that blocked documentation & changelog requests, blocking viewing those in the UI. A fix for that is coming in the next patch release. Your issue is most likely similar.
Should I raise the issue in the Core or Supervisor repository?
Core I think might be best now.
1 Like
I understand that you have to deal with so many user interaction so you cannot write a novel every time and with synthesis comes misinterpretation, let’s be friends 
Ok, thanks to @gubiq that opened up the Pandora vase to me. I wasn’t aware about the certificates listings.
In fact the service I’m managing for my customers use wildcards because I’m not offering E2E encryption, now I perfectly understand what you’re meaning.
So, thank you very much for the explanation, I think it’s very important to know exactly how all those stuffs works to make an informed decision. Understand is power
I’ll spread in the Italian community what I’ve learned here.
PS: I’ll remain a paying customer of Nabu Casa as I’m happy to give my small contribution to keep the project alive and growing. And to let you manage security vulnerabilities in a serious way like you’re doing. Good work.
3 Likes
I updated to the most recent hassOS. 2FA is enabled for only 2 of 3 users.
If some attacker were to exploit this vulnerability, would they still be able to access my Home Assistant after updating to the most recent update?
Yes, I do this and have done from the very beginning of using NC. I am not paranoid by nature but I like to take precautions where I can because I know very well that a little knowledge is a very dangerous thing and in the realms of cyber security I do only have a little knowledge.
Anyway, toggling the NC Remote UI on and off works well for me and at least it means I was safe for maybe 60% of the time.
Yeah I know, that wasn’t really meant to be taken seriously.
well, I do 
and now that I see this, I realize I am not 100% certain what that means… I mean, I am logged into my account, but the cloud remote is off.
But it the top panel says ‘Cloud-connection-status: connected’ (Cloudverbindingsstatus: Verbonden).
Why am I still connected if my remote connection is turned off…
shouldn’t the account login be toggled either?
or is that just an incorrect wording for being an active subscriber…
You’re connected so that things like Google Assistant/Alexa work… you can use those without the remote UI.
ok thanks, so, if I want complete cloud cutoff, I also toggle these:
and then the top toggle in the NabuCasa panel would also turn-off?
Is the current security breach also impacted by those services (or vice versa), and, what is the instruction to do with those services?
Well, if you want to have complete cutoff you’d want to log out.
I can’t answer that, but do what you want 
I’m keeping mine active as doing it manually is a faff and I’m lazy.
Sure , we’re all lazy
what I am asking though is if we are impacted in that area too, and what the directives are by the NC security team.
1 Like
I hope you are also fixing the system so that the Supervisor is not exposed over protected instances using the PAID Nabu Casa service, irrelevantly whether it is vulnerable anymore or not. This is not advertised as being exposed.
2 Likes
Frenck is using standard terminology as it relates to security. You can do your own search to confirm this or look at this page from a tech giant.
4 Likes
You’re an admin and lazy with security? Wow 