@flamingm0e, I think he’s alluring to having the UI display a warning card saying:
“Hey your install isn’t secured with a password, should you ever open this to the internet for remote usage, you’ll want to set that up!”
Similar to when there’s a configuration error.
Finally, something I understand! I can see value in that.
If you don’t change your raspberry pi password from the default one a text will show every time you connect via ssh.
So here’s a way to break it down:
You buy a car and take it home. You leave the doors unlocked, someone overnight opens your door and jacks your car radio. Do you blame the car manufacturer or dealer because you left your doors unlocked? No.
I have more docker containers than you can imagine. Most I use through VPN or locally, the others I use all through 443.
You know someone would definitely blame the manufacturer if you had no way of easily knowing a door was locked or not though. Your analogy is flawed in this case and doesn’t really apply as even my toddler knows a door is locked or not, does he know if my web app is secure? Hmm…
Except they’ve gone in and explicitly opened the ports on their router/firewall. This isn’t done automatically by Home Assistant. When it comes to network security the weakest link exists 99.99% of the time between the keyboard and the chair.
People should be using common sense here, if you are not sure of what you are doing and just opening ports on your router/firewall, you shouldn’t be doing it. Anyone doing this should research exactly what it is and means to open a port to the public internet.
I think it would be great if HA enforced a password being set, and ssl being mandatory. But setting up ssl is not trite, so it would be an adoption barrier.
Why should I be forced to set a password and use SSL if it’s only running on an internal network with no internet access?
Because it is good practice in any IT /networking setup.
On an isolated network there is no need for passwords or SSL. The only time this is needed is when devices are exposed to potential public access. It’s called air gaping, anyone in IT should know this.
@firstof9 Depends on how much you trust those users on the local network (I don’t want friends and friends of friends that are on my wifi network to be able to access or sniff data from my HA instance locally)
But won’t it be good to add a simple layer of security? Maybe the user has opened a door by mistake.
That wouldn’t be an air gapped network then 
This again falls back to doing research on what you are configuring in your router/firewall and likely why the HA docs don’t link to any “How to open ports on your router” HowTo articles.
You had a look at any papers or articles on hacking wifi lately?
Or my teenagers’ friends
There are more aspects to security for Home Assistant than setting a password, using ssl certs, and forwarding ports. I can’t tell you how many times I see where users want to automatically unlock doors or open garage doors based on presence. Just look at the forums to see how difficult presence is to get right. It’s super easy for someone to create an automation that would unlock or open doors when not desired.
The same could be said for making doors unlock or garage doors open up based on voice. Anyone random person can shout “turn on the garage door”, “turn on the front door”, or other similar phrases from outside your house and gain access to your house.
There are also users that think Home Assistant can be used as a security system. Sure, Home Assistant can do many of the same tasks that a security system can do, but it just doesn’t have the same level of dependability or response time that you get from a dedicated security system. It’s just impossible for a single person to respond to a potential break-in consistently like a company that has multiple people working 24x7. Home Automation and security systems just need to be kept separate even though there are overlaps in features.
Wifi is inherently insecure anyone properly segmenting networks will never use wifi.
@keatontaylor: Side note, I have guest wifi and my private wifi separate, traffic from one can never reach the other.
This I agree with and still iterate that the user setup those functions knowingly. It’s only as secure as the user makes it.