iam very new to HA, its an amazing project and i love it from the first minute
But how “safe” is its authentication ?
Iam running HA on an VPS, i dont want to hazzle arround with PI´s SD Card issues
So iam running it behind an SSL (LE) protected Nginx. A SSL secured Mosquitto is running on that machine, too.
At home an old PI is running a second Mosquitto SSL bridged to the VPS´s Broker.
The Broker at home is listening unsecured in local network to get every device in, without doing SSL stuff on my ESPs
Well said, 2fa is the best option. But the security is as strong as the weakest link. Generatjng a long live token and have it published by accident or not knowing about it (github is full of those).
Thanks for the Tip about 2FA, it was easy to setup. Everything is working fine with my somekind “special” Setup But i dont need to hassle around with SD Card Issues and with that MQTT SSL Problem on ESPs Iam using ESP Easy now for all my ESPs.
Just wondering, as far as you guys know, has there ever been some professional pen testing done on HA ?
I mean hypothetically, if we set up a publicly accessible vanilla HA OS instance (no custom addons/integrations) with a password that would be considered secure (long randomly generated string) and called a contest at some whitehat event, telling people to do their best, how confident are we that this wouldn’t end in a complete disaster ?
I think thats a good one. Hope there is someone available to test in spare time lol. Would like to see how and if HA is vurlerable. Also with nabu casa connection would be cool to see.
From my understanding the recent security issues were found by a professional security researcher, I would like to think he was testing it fully and not one part
No, none has as far as I know, probably for a couple of reasons:
That takes money
The majority of HA comes from other people’s libraries, so testing version 4.1 of their library is only good for that point in time. Next week you have 4.2 and all bets are off.
I’m personally fairly confident, if only because there’s likely hundreds of thousands of HA installs out there (see here for stats of a subset of recent installs) and if there were major issues it’d be public by now. All the historical posts about being hacked have come from people failing to do any security (back when authentication was optional).
I would love to see somebody have a go at it in anger though.
All that said, I do have a proxy between HA and the Internet, and it does limit what URLs can be reached to just webhooks and a subset of the API. I started using that back when HA’s auth was optional, and do like the extra layer of logging and security it brings.
