Easy way to make HA accessible remotely(without DDNS+PORT FORWARDING)

Everyone should be aware of @balloob’s commentary on this component – highlighting is mine:

So I agree that the problem you’re trying to solve is a real problem. It would be great to make it easier for users to make a remote connection.

However, your current approach means that you route all users traffic unencrypted over your proxy. This means that if you were malicious, you could easily copy refresh tokens when a user logs in, giving you permanent access to the instance.

For us to merge a component, means we tell our users: hey, this is ok to use. Sure, integrations can break but it will never impact your privacy by leaking the data. A leak of data would be a permanent stain on our reputation.

I don’t feel comfortable allowing anyone to run a proxy that could access our users data.

And another thing that is also raising a bit of alarm bells for me is that all your accounts are anonymous. Your GitHub account has been created July 17, 2018. The only contribution of it is this component. The website molo.cn, that users use to login, show no logos or affiliation with anything.

I think it would be a good start to make this available as a custom component. That way you don’t need our endorsement and people can still easily install it. However, when they do, it’s on their own risk.

Source: Security issue of Molohub(a remote access component) · Issue #66 · home-assistant/architecture · GitHub

15 Likes

Thank you @bachya

No you don’t. Invest some time in learning about reverse proxies, certificates, https. And then do it your self with Nginx or Traefik.

1 Like

I think it would be like giving over your house keys to someone you just met in the street.

Can someone please delete this thread?

1 Like

As we said at https://github.com/home-assistant/architecture/issues/66, users have http component logs at their local machine, if someone else access their ha instance, users will have awareness while checking the log.

We have discussed with balloob about the privacy issue at github and discord for a long time, he also worries about the privacy, and gives us some suggestions, We are trying to reach a consensus,
We totally understand your worries about the privacy problem, As far as we know, almost all cloud solution has the same privacy problem, include cloud component and another reserse-proxy website (Reverse tunnel for Home Assistant (no public IP, firewall/router config required)), Because the similar technology are used,
so please don’t prejudice us.
At last, we trying to find another way solve it by perr-to-peer transport, no data passing through the server, Perhaps it will decrease your worries.
We are looking forward to more comments, find more way to improve it.

1 Like

Deleting this post wont solve the problem. @bachya has already pointed out that this has some potential security issues and @balloob suggested to publish this as a custom component. Every user has to decide on his own what security measurements he or she wants to implement.

3 Likes

So just don’t use cloudsolutions. The problem can be fixed locally quite simple.

I am allergic to cloud solutions for my automation and security system. I never use any devices that has to be cloud connected. There is a lot of high quality ip cameras but they are locked to the manufacturers cloud. Will never be used by me. Goes for all devices. I dont need to track my wife with owntracks in HA. And she would not like it. If I need to know where she is I look in my Traccar app connected to my traccar server installed safely on a datacenter.I would never use a cloud mqtt server, I have it localy. And so on. But thats me, everyone do as they want

4 Likes

Is it though? There is no easy way of setting this up if you only run Hass.io on one raspberry. At least there is no straight forward, newbie friendly way. And no tutorials on this anyway (as far as I know).

I dont want a cloud solution and i can’t port forward my router, Is there a solution for this besides Tor ?, can someone make a tutorial?

I like the post where people put up a guide to secure hass. Making hass remotely the easy way is not an approach I recomend.

There is also the old school of hanging a modem off your system.

I have tried it with HA 0.77 and setup multi-factor authentication by Google.Maybe safe

Not really. This method intercepts your communication between your browser and HA, decrypts it, reads all the data and the re-encrypts it to send to HA. So all the tokens created by the multi-factor authentication can be read by the server.

What the server does with this information is unknown to you, but in terms of security, there can be no presumption of innocence. You must assume that your passwords and tokens have all been stolen so reset all passwords and re-create your multi-factor authentication system.

Yes, that’s possible.But after reset my password local control loss will easily be found. After all HA is in my house, hacker try to control it is meaningless.

I would like to hear the perceived use case(s) for making HA accessible from outside your home network. I suspect some people are doing it “because it’s cool”, and others are doing it because they don’t know what alternatives are available. Surely the vast majority just shouldn’t be even attempting it. So maybe it’s just an education issue?

Remember that HA probably knows where you live (from you lat/long), knows what devices you’ve got (XBox, laptops etc.), may know your Apple Id password, has data indicating when you are not home, and may even show your current location on the map. This is not something I want a random person to find out.

1 Like

Because people want to see their cameras, know how the temperature is, who is at home, when the home help left*, whether the kids are home from school, how much the dog ate and when he went outside, whether you left the garage door open, or forgot to turn the alarm on. they also want to be able to turn the AC because it was unseasonably warm, open the door for delivery guys, open the door for unexpected but wanted visitors etc etc.

What is your reason for not wanting to access HA from somewhere else?

  • we do pay you for three hours, so 9-11 doesn’t cut it.

You could look at Cloudflare Access (which free for the first 5 users) which is a good solution of hardening your access to home-assistant if you want to expose it securely:
https://techkarussell.ch/home-assistant-hardening/

2 Likes

Education? Yes but who’s?

One day you might even want voice control with Google assistant. There’s lots of reasons to want/need external access. (Yes I know I can pay $5/month for cloud)