Man-in-the-middle atttack mitigation (NabuCasa)

Ever since the rollout of NabuCasa cloud services, the issue of a man-in-the-middle attack has been documented as a security concern. On the “Remote UI” page, there is mention of the possibility to automate the process of auditing the certificate.

https://www.nabucasa.com/config/remote/

Is anyone aware of any plans to implement this feature?

No, and I don’t see this information they mention:

You can find the fingerprint by looking at the certificate info in the cloud configuration page inside Home Assistant.

I know for a fact that I am being MITM’d when at work. My employer calls it a “proxy server” but it is basically a MITM attack. Otherwise they have no way of monitoring encrypted sessions.

1 Like

If you go here

…and go to Home Assistant Cloud, under Remote Control select Certificate Info you should see something like this:

image

The full current Certificate fingerprint is exposed.

If you log into your dashboard via the URL under Remote Control, your browser will have the ability to display your certificate and fingerprint. On Firefox it’s a padlock icon to the left of the URL. This is what I see:

image

Note that the SHA-1 fingerprint is the same as above. I think that indicates there is no man in the middle. You should get an alert in your browser if they are different. It seems to me the HA companion app should be able to do this. If I’m wrong, I guess I’m doing the equivalent of drinking my own bathwater.

Clients do not know the fingerprint of your original certificate.
They only check:

  • if the certificate has not expired
  • if the certificate is signed by a trusted CA
  • if the certificate domain match with the url domain

All things MITM proxies handle

1 Like

Thanks for the reply.

If a client uses HTTPS, wouldn’t it have the ability to calculate the fingerprint? I can pull up the SHA-1 fingerprint between endpoints in the browser as I type this. If its not practical to calculate it, the requirement would be to share the current fingerprint in a trusted way.

I don’t mind the discussion from a feasibility point of view, but right now we’re soliciting votes.

Respectfully.

The best advice is just to use a VPN if you are concerned about it. Like on public wifi during travel, at work, etc. If you own the client they will need to install a fake CA, so if you have to access the internet via a hotspot webpage that is a good signal that you should be using a VPN. And you will see some sort of prompt about installing something.

If you don’t trust the client like for work, then you can look at the CA to see if it is being intercepted. It will not be Let’s Encrypt, it will be something private.

1 Like

I’ve done some more reading and my musings over the last day might be misrepresenting what needs to be done.

What was initially envisioned by NabuCasa was to use an open source framework for doing the auditing. I do not yet know where this process would occur or how it would be practically implemented for HA and NabuCasa.

Here’s a link describing Certificate Transparency (CT).

https://en.wikipedia.org/wiki/Certificate_Transparency

Nevertheless, my initial post is accurate regarding the feature request. A vote would be appreciated.