You could look at Cloudflare Access (which free for the first 5 users) which is a good solution of hardening your access to home-assistant if you want to expose it securely:
https://techkarussell.ch/home-assistant-hardening/
2 Likes
Education? Yes but who’s?
One day you might even want voice control with Google assistant. There’s lots of reasons to want/need external access. (Yes I know I can pay $5/month for cloud)
hi, what’s the difference between Cloudflare and MoloHub, which is safer and why?
You can’t compare those, cloak is a different service from MoloHub. You can compare cloudflare warp to molohub https://developers.cloudflare.com/argo-tunnel/quickstart/. It’s not free, but it means that it will probably stay online and cloudflare has a clear business model which can tell you how they are earning money 
Also, Cloudflare has a great reputation, pretty much every company I know of is using it to make websites faster and provide TLS termination.
Both will create a reverse tunnel to the cloud service and can intercept your traffic. I have a similar service as @haoctopus pointed out. Although I never intended it to be used for home automation and especially camera streaming (it would cost me 
), it was mostly for forwarding webhooks, demoing your website or exposing some “engineering services” that are very rarely connected to and do not deserve a load balancer.
Ideal tunnelling solution would be just a TCP tunnel where you HA instance has a TLS enabled and you generate those certs for the HA. Then, when connecting through the tunnel you would be able to see, whether the certs are your or not. If they are not yours - abort and if they are, then you can trust the connection. I intend to implement something like this, but really not sure whether it would be used as it does make a little bit of pain to setup the certs and if someone would be watching their cameras through the tunnel, it might make it financially unprofitable to run this as a service 
Indeed, MFA makes HA much safer than before, at least server can’t access user’s HA instance, `cause token of MFA will expired in a short time.
Great to see some passion! But I have all of that without opening HA (except the cameras; I have none). I use Bluemix (free!) to provide a separate password controlled public facing web site that just sends MQTT to/from Node Red which talks to HA. Much more secure, although more links so perhaps less reliable. And technically more effort.
And @DavidFW1960 Bluemix (still free!) solves the bridge between Google Assistant and HA (via IFTTT & Node Red). Surprisingly, voice control this way is faster than Philips supply for my Hue bulbs (may only be an issue for me in AU). This is the point I’m making about there being alternatives. Or use Tor or a VPN. BTW I don’t work for Bluemix or IBM.
Is Bluemix a cloud service?Everything in cloud is exposed to worldwide.
As far as I known,Bluemix is also a cloud solution, Technically no difference.
Why would I want to use that instead of Google direct? It’s still a cloud service.
Because it’s the lesser of two evils. There’s no such thing a no risk, only acceptable risk.
Google Assistant is in the cloud, you can’t avoid that. If you want Google Home to control HA, you need some way to allow data to flow from Google in the cloud to HA in your home network. One way is to open HA to the internet, but then you have to worry about the potential of somebody managing to access your secrets.yaml file.
An alternative is to use some other software that has no direct access to HA. There is no avoiding this is going to be more complex. The option I chose is to install Mosquitto (MQTT) in a docker container at home as the ‘middle man’, and expose it to the internet. Then you have to work out how to connect Google to MQTT. You could write your own Google Assistant app (too hard!) or add in something that Google can already talk to - IFTTT. But IFTTT can’t talk to MQTT. Which is why I use Bluemix. It’s Node Red running in the cloud, so all it does is receives IFTTT webhook requests and converts them to MQTT. Should IFTTT support MQTT any time in the future, I would dump Bluemix the same day, as it’s only necessary to bridge the gap, and is therefore something to potentially fail.
Bluemix is owned by IBM. I don’t believe IBM wants the reputational damage of accidentally releasing plain text passwords to the world, but let’s say they do. What’s the worst that can happen? Somebody can send MQTT messages that will turn my heater on. Maybe they can even unlock your front door, but they don’t know where you live and can’t get your iCloud password or other sensitive data from secrets.yaml.
Let me just reiterate, this is one option of undoubtedly many. It is not without limitations, but suits my risk appetite and needs. So I add the usual caveat of YMMV.
2 Likes
That’s effectively what the Google Assistant Component does… you link assistant to your own google app.
As you say everything is a risk or course.
I manage that by using SSL and duckdns via a reverse proxy on a non standard high port and I only have that port opened and forwarded. So you’d have to guess my domain, port number, username and password as well as the rolling 6 digit authenticator token to crack in… I find that an acceptable risk and far lower than using third party cloud services.
In the unlikely event that it all goes to shit, I have snapshots going way back and worst is I need to wipe out my NUC and start again.
IFTTT is currently using the legacy_api as well so that is less secure anyway that the new auth.
2 Likes
For me much of the fear of hacking is way way exaggerated. We are not talking the international space station. As said there is so many things a hacket must find out to be successful. And to be able toshut down someones boiler is nothing that get the hacker any plus points. And ransackers dont have these skills
1 Like
Fear-mongering pure and simple. FUD.
I’ve seen people with perfectly functional security (not the space station) get scared off of having anything outward facing. All the hacking threads in here have been people exposing stuff without passwords or in one particularly memorable case, the OP had given an alexa dot still activated on his home assistant to someone else but in the 2 weeks it took to discover that had triggered pages of discussion filled with FUD.
There are also a lot of people who don’t secure their systems at all and have them exposed… no one advocates that that is a good idea.
2 Likes
I have an nginx as reverse proxy and letsencrypt. I am cautious about cloudservices son I dont use if I can avoid it. Only cloud I use is AWS for Polly tts. I dont use alexa or google, but not for fear of security but because they are way to slow to respond
1 Like
And just how would a thief looking for something to sel to fund his drug habit find this out. I dont believe they have the skillset
These devices are usually hijacked by an automated tools, without any thieves, get exploited through a 0-day vulnerabilities (or brute forcing but most of the servers have a backoff functionality now) and join a botnet. Nothing might happen for weeks or months, and then one day they will join the rest of the botnet on an attack against some target Even then you might not notice that something is happening. Some of these malicious applications even patch your installation against other intruders so they remain in control
The largest DDoS attacks were committed by IoT devices, not some hijacked computers.
It solved my problem, and the security looks ok
You means we are wicked hackers, Do you?
Nope, it was addressed to a previous comments regarding possible threats in general and the reason why IoT devices get hijacked (usually not to spy on anyone but to participate in something more profitable).
Although it would be interesting to know your business model
Well my be but still much of this is scaremongering in my opinion. But anyway I dont use any internet connected services on my automation server and can only connect to it from outside using VPN
1 Like