Cool, thanks. My setup is pretty simple. Custom domain, Cloudflare tunnel (cloud flare is also my registrar and DNS, not that it should make any difference). On the cloudflare side I have it configured to require a Google login before you can access Home Assistant. I do plan on using Wireguard to replace that, but that still won’t help unfortunately.
These things are a non-starter for me:
- Public unrestricted access to HA front door
- Giving your service a long lived access token to my HA instance
- Giving your service a key to join my VPN
I would consider that a lot of Home Assistant users are going to be people who: a) are more technical than most and (maybe) understand security implications of technologies, and b) are very much going to prefer or require non-cloud solutions.
Here are the reasons I won’t grant these things:
- HA is extremely risky from a security perspective. The front door doesn’t have bugs that we know of as of today. But that can change quickly. It shouldn’t be assumed that it’s safe to expose the front door to the internet and will remain so forever.
- There is absolutely 0 ‘layered security’, and once you’re past the front door, you have completely unrestricted access to any data, including plaintext credentials for any service I’ve logged into with HA. I removed my iCloud information when I realized that, but there are still plenty of account credentials and access tokens that need to be stored somewhere for HA to function. That’s a risk we all take using this software. See the “Test Demo” section below. I did this in like 5 minutes.
- There is no such thing as a ‘limited user’ in HA. There are so many ways to escalate privileges it might as well not exist. If a user has installed anything which can read the fs, like terminal, Visual Studio Code, something that can upload arbitrary files, then it really doesn’t matter if a token or user is restricted. It can be trivially bypassed
- As for the VPN thing, I suppose (if the other stuff could be locked down) I could create a separate VPN only for your service and HA, then have my own VPN for myself and HA. But I’m not sure, can I join 2 wireguard VPNs at the same time with home assistant? Will that cause any issues? I don’t know but I probably would abort that mission at the slightest hint of anything problematic. Debugging a double VPN is not in my skillset nor do I really want it to be. And I’m simply not going to make a VPN that contains all of my trusted devices and your ec2 instance
See, all of these mechanisms (HA token, VPN) rely entirely on me trusting you to have completely secure infrastructure for all of your stuff, forever. You will need to keep everything updated, fully private, never make a misconfiguration of credentials or allow your own personal laptop to be compromised (which would likely expose credentials for your cloud account). I do this professionally and I know how complex it is to make something secure. And at the day, nothing really is. But if I compromise myself that’s one thing. If I give you the keys to my systems then I’m relying on you to maintain that security until the end of time (or as long as I want my floorplan software to work, which ideally would be for a while, especially if I’ve paid for it).
OK, so what CAN you do? I see plenty of great options that honestly I think are going to be way more appealing for the vast majority of users. I’ll skip a list tho and go straight to what I think is a pretty solid compromise that gets you money, avoids the issues, AND even has additional benefits.
Solution:
Your software does not “run” the Floorplan, what your software does is EXPORT a floorplan that can be used offline within home assistant. You could charge per export, but I think a better option (because people will need to tweak things) is e.g., you pay $15 for unlimited exports for one month. Your subscription is for the builder & exporter, NOT to use the floorplan.
You could still do the per-export pricing but I think a 1 month “unlimited exports” strategy works better because it’s a good value and sets a nice floor on how little a customer can pay. If you charge $1 for an export, you might only get $5 from a customer. If you charge $5 per export, it no longer feels like a good value.
I would just drop the idea you’re going to get meaningful subscription revenue from the basic functionality, frankly. I’ll pay you, but I’m not paying hundreds of dollars over years either. Maybe I’m wrong and you’ve got tons of paying customers. But subscription fatigue is real and I personally don’t really use software with subscriptions. If I do, it’s something I can use for a month or two when I need it then cancel.
Nice things about this model:
- For anyone who has installed InkScape and tried to make their own floorplan a few times (I doubt many finish one their first time), $15 is going to be a “shut up and take my money” scenario. I’d do it today. Sweet Jesus I would love to
- You don’t need to maintain a bunch of sensitive information, deal with GDPR (as much), be prepared to notify customers of data breaches. or at least the notifications won’t be like ‘hey someone might have access to your entire home and everything you’ve ever used with HA’, my bad!
- It’s way more customer friendly because you’re NOT asking for a perpetual subscription in the same way, the subscription is purely to use the design+export functionality. That’s the hard part. I don’t really need you to run the floorplan or make small tweaks. If I want to do a big redesign, I pay my fee again. customer friendly = doesn’t feel like a price gouge = builds goodwill with customers = they recommend it to others as a ‘must have’ tool
- Way way more secure for users due to all the things I mentioned
- Way more secure for YOU, because you’re not nearly as big of a target. Instead of a bucket of juicy tokens someone could use or sell, you’ve got little of value, assuming you use a 3rd party payment processor
- Users are not going to see a tool which attempts to horde their data to lock them into monthly payments. Instead they’re going to see a tool which provides them a valuable service for a reasonable payment. People don’t like the first one. The second option they love.
- Home Assistant is designed to work without the internet. Clearly, requiring the internet to use your floorplan is diametrically opposed to this concept and people won’t like it purely on principle. I don’t really want to be forced to have a contingency plan for controlling my stuff if my internet happens to be down. I want my floorplan to be the backbone
- You also isolate yourself from a huge amount of backlash should your own systems ever go down or need maintenance. If someone can’t edit their floorplan because some queue backed up in the middle of the night, that’s one thing. If you want to be generous add a day to everyone’s subscription. But if that happens and people cannot control their lights at home, you had better be prepared for a shitstorm of fury and lost customers. Get yourself out of the critical path, it’s really hard to build trust and doesn’t take a lot to lose it.
- You also piggyback on all of the benefits of getting home automation off of the cloud, the biggest ones being speed and reliability. You stop worrying about latency for every single request. You stop worrying about retries and queues and figuring out “did that person’s light REALLY turn on?” Should you manage to be popular enough to need to worry about performance with your current model, this will become a more significant problem
Downsides:
- You will make less per customer. Answer: But you’d actually have customers! Snark aside, you’d certainly have a lot more. Tweak the economics when it becomes relevant (I’m guessing it’s not right now). But some napkin math = 10k customers w/ $15 one time payment = $150k gross (first year guesstimate). There are 2 million installations of HA apparently. If you achieve 5% penetration, that’s 100k customers and $1.5 million gross. Use that money to add more value and get more revenue.
- Maybe it feels out of your control in some way, like people are just going to pay once and use the floorplan forever, and not need you. Answer: This is true. But is your goal to have people need you? Probably not. You should model the scenarios in a spreadsheet and look at which one makes more money based on your sales data.
- You worked so hard and it takes on going maintenance! A one time payment isn’t sustainable! Answer: Not having customers is also not super sustainable.
Would you rather have like 100 customers paying $5/month or 50000 customers, each of which paid $15 once, and 1000 of which are paying a monthly subscription? There is a reason startups heavily subsidize stuff at the beginning, and it’s not because they’re stupid or love wasting money. You’re in a great position because you already have something people desperately want…almost. But I guarantee you, right now, most people are going to see this and say “OMG a floorplan tool?! that makes it easy?! I need this! …oh wait it’s a paid cloud service and they could raise the price and lock me out of my floorplan at any time. Hard pass”.
It’s a bit of a leap of faith but you’ve already built a lot of this, right? You don’t have much to lose.
Test Demo
Original iCloud integration (the broken one that’s in the official integration store)
grep -I -r -i -E ‘password|token’ /config/.storage/icloud
If you use the updated one, iCloud3
cat /config/.storage/icloud3/configuration | grep -m 1 ‘“password”’ | sed -E ‘s/.“««([^»]+)»»”./\1/’ | base64 -d
