Security advantages of using Nabu Casa

Some devices does that, yes.
I can’t remember what the technology is called but I know my IP camera does that too.
It broadcasts past my network without my “permission”.

But is that really a good thing?
In your scenario I can see that you might want it but imagine someone else that only want local control, then HA broadcasts past the router.

I’m not sure I see that as a benefit.
But yes, there could have been an account that you sign in on first at nabu, then you get presented with your HA instance.

Not sure if there is enough safety benefits of that opposed to the extra work.

I think there’s a pretty significant security benefit to that model. But yes, if you want purely local control only with no cloud involved (which is why a lot of people choose HA in the first place I assume?) then you’re only option I think is opening a port and connecting directly to your instance.

Just as an aside for anyone else who might in the same boat as me, I’m experimenting with using Apple’s HomeKit integration and using that as a “frontend” for HA and remote access. So I keep HA locked down and only accessible locally in my LAN, but if I’m away from home I can control switches, lights, alarm, etc, using the “Home” app on my iPhone. So far I’m amazed at how well it’s working, and I’m using it for presence detection too which is slick.

More technical how the end to end encryption work:
https://www.nabucasa.com/config/remote/

You can make an automation, that turn the remote connection on, if you phone is not connected at your LAN.

1 Like

As I said (implied) I’m not an expert in area, but I believe with that model your router opens a port automatically.
I could be wrong.

And creating an account on “some webpage” wasn’t much of a deal for me either a few years ago but then you start noticing what the level of questions are on web developers on stack overflow.
You get questions on how to store plain text passwords in text files.
Or how you use old functions that prone with security flaws.

And it’s not an one off thing. It happens pretty much daily.

And then there is big companies such as a German post company, but let’s not name them name shall we? :smiley:
You register on their customer page and you get an email back with the login details in plain text.
I got completely stunned and actually called them and the guy who was some security boss did not understand and refused to listen.

Off course I have higher views on nabu casa.
I honestly do believe they know what they are doing. But the amount of garbage out there is insane.
If I’m presented with “create an account” I generally back out the same way I got there unless I really really need the service.

“As I said (implied) I’m not an expert in area, but I believe with that model your router opens a port automatically.
I could be wrong.”

Believe me I’m nothing even close to an expert with security or networking either. However, using the SmartThings example I can tell you that you absolutely do not need any ports open yet you can still remotely control devices in your home, etc. I think the distinction is: the SmartThings hub will initiate it’s own https connection to the ST cloud service (outbound), and once that connection is established it is used to communicate back and forth between the cloud and the hub in your house. But that only works because a device on the inside of your LAN initiated the connection. The reverse scenario, where you want to initiate the connection from the outside internet into your LAN (ingress) requires a port to be open on your router. That’s probably not a great explanation, but I think that’s the general idea.

Back to HA, I’m not sure with Nabu Casa if it follows that scenario, or if Nabu Casa simply proxies a secure connection into your HA instance. It sounds like the latter to me based on what everyone else has said, but I might be misunderstanding.

Yes, you’re wrong. Opening (forwarding) ports on your router can only be done by:

  1. You (on the router/firewall).
  2. Upnp, a protocol that does it on your router on behalf of a device or application.

But, since most of the routers are not enable for upnp by default this will not work well.

In addition, there is 1 port open in nabucasa, which is 443, the default for https traffic. Based on the host header (url) they forward the traffic to the proper instance of the user.
Probably a vpn/secure tunnel will be setup from a homeassistant instance to nabucasa and used for forwarding.

This way there is thus no need for an open port on any ones router. Being relatively safe.

But since the original homeassistant interface is simply presented via nabucasa to the client (via the tunnel and 443) and without any additional security measures in nabucasa (ip reputation, geo-ip, rate limiting, DOS, APT, etc.) It is both equally safe…

Ok, I thought about this and realize now how wrong it was. I was trying to provide a direct correlation between the two options and went completely wrong trying to stick to the same framework.

With an IP all of the positions don’t always exist and not all of them can be 9 (really 10) possible values. I knew it wasn’t going to be 100% technically correct but didn’t realize how wrong it was at the time.

Thanks for setting the record straight.

1 Like

Perhaps in the past that was true.

@muffedpunts
I believe that is what your smartthings use also.
I don’t know a lot about it but just a few minutes of googling showed me the above.

@Hellis81 Nope, UPNP is disabled on my router. Again, no port forwarding required for smartthings.

Isn’t that what I said?
“Router opens a port automatically”.
Isn’t that pretty much the description of upnp?

Are you sure you just haven’t forgotten that you did the port forwarding?
I can’t really see any way that any given router would just let smartthings through just because…
I did some reading and Samsung has a help section named port forwarding, and this thread talks about it and upnp.

But sure, I don’t own a smartthings and probably never will.
I just base this on my Google skills.

@Hellis81 Positive, 100% I was not forwarding any ports. Go re-read my earlier post about how devices like SmartThings work when connections are initiated from inside your LAN. In fact, if you read the rest of what you just posted, you’ll see a developer literally said that port-forwarding is not required, nor is upnp.

Ok…

I see what you mean now…

absolutely do not need any ports open yet you can still remotely control devices in your home, etc

Was interpreted by me as remotely control meaning that you are on a remote area trying to control your home.
Meaning you are outside and controlling the inside.
Ok…

But that was not really the discussion. If you want to be outside and control the inside then you must open some ports, right?
So then smartthings have the same “issue” that HA does?

If you open the ports to smartthings then a wild guess at your IP and a correct password and I would be in? Or?

@Hellis81 No you interpreted what I said correctly - you CAN control your SmartThings devices when you are away from home, and you do NOT need ports opened. I’m not sure how else to explain this to you, so I’m giving up now.

No, read again. A router is NOT opening a port. A device such as homeassistant COULD do it (via upnp). But ir does NOT open a port.

1 Like

In that case something is wrong because the whole point upnp is to open port 1900.
You do not see that it’s open in port forwarding, but that is the port that opens when you enable upnp.
You can argue against however much you want but upnp is opening a port, that is a fact.

Again. IT IS NOT opening any port! Homeassistant is NOT using upnp toward an internetrouter. Stop polluting this topic please.

I e.g. have a fortigate firewall, no ports open to homeassistant. But I can access it via nabucasa. Without upnp.

Nabucasa does NOT need upnp to function.

1 Like

That has never been any part of the discussion.
The discussion has been about upnp.

You claimed upnp does not open ports, which the exact thing it does.
It has nothing to do with HA.

But I can access it via nabucasa. Without upnp.

Because it uses ports that is already open. Duh!

Read back. I also stop responding.

For the record the random URL/random guessing doesn’t provide much protection. Because the connections are secured/HTTPS the URL’s Nabu Casa generate are all publicly published.
HTTPS encryption on the web – Google Transparency Report

3 Likes