The issue isn’t that one’s instance is not invisible. The issue is that there’s a mistaken belief that invisibility will help to protect an otherwise minimally secured system.
Agreed, but just adding SSL doesn’t make HA more secure by itself, that’s my point.
It definitely prevents sniffing, but it’s not something really useful for your average remote hacker with no infrastructure access.
In that regard, Nabu Casa is not more (but not less) safe than duckdns + letsencrypt, or just enabling SSL in HA itself and, to quote your OP, none of those prevent your instance to be “accessible from anywhere”, which is the actual issue, outlined in the openHAB post.
But easier to implement for users whose expertise amounts to forwarding a port.
Never said it would. In fact, nor do the replies in the openHAB thread. If you read rlkoshak’s detailed response, which lists several ways to improve security, none specifically address visibility. There are methods to locate instances of openHAB and Home Assistant, be they secured or not. The moral of the story is to be one of the secured instances.
There’s “a few” threads that cover this ground already. I also remember back when authentication was optional
To be honest, I think you’re thinking too much of people. Most who did that didn’t think that far.
Beyond that, there’s not a lot more that can be done - maybe advising MFA in the securing docs? I certainly see no reason you (or somebody else) can’t add a section on VPN use for HA - maybe I should add details of how I do it, with a combo of proxy server (limiting access to webhooks) and VPN (for remote UI access)
Ultimately, you can’t force people to make good choices beyond what’s built into the system for them.
I’m giving them the benefit of a doubt that they understood the implications of port forwarding (but I agree with you that some probably didn’t).
That’s pretty bad. I just watched this last night on the Tailscale VPN addon and can’t think of an easier way for people to secure the network, with no port forwarding needed.
I remember the posts of “My HA was hacked!” or “Was my HA install just hacked?” and it turned out to be people willingly (though possibly unknowingly) opening SMB to the internet…
I forward 3 ports from my internal network. My SSH rejects password authentication and requires public/private key pairs otherwise the server immediately closes and refuses the connection. The other ports have SSL and will not respond to unsecure HTTP connections (not even an invalid certificate warning). Combine that with a few non-standard ports and 2FA logins. It’s not the most secure by any means, but it’s a start. True security is a closed network that has no in or out access. Unfortunately that breaks functionality. The next best thing is combining multiple security methods such as a little bit of obscurity, encryption, two-factor auth, port knocking just to name a few.
Am I missing something but how does Tailscale secure the connection any differently than something like Nabu Casa.
It looks like you are still storing credentials on an external third party commercial software platform that handles the connection security for you.
Sure it may be easy (but so is NC) but I don’t think it’s anymore secure.
Other VPN’s such as OpenVPN and Wireguard require you to set up a Secure Key on the client and if it doesn’t exist you can’t connect.
With Tailscale if the credentials are compromised/hacked from that public facing business what protects you from the hackers getting access?
At least with NC if things get hacked the most they can gain access to would be you HA instance (bad enough) but they couldn’t get access to your entire network like they could with a hacked third-party hosted VPN.
I agree storing the credentials isn’t the best, and that’s why I use Wireguard since the credentials aren’t stored in the cloud anywhere. But I definitely think Tailscale is better then just port forwarding 8123 with no encryption.
Inspired by this post I started a community guide on securing HA.
For those looking for guidance on security or for those with the expertise please see the link below and provide any feedback you have.
From what I read, Tailscale doesn’t identify you using their own authentication system. You authenticate via an existing service you may already have (they currently support Google, Microsoft, and Okta). For example, if you already use two-factor authentication with your Google account, that’s what you will also use to access your Home Assistant system (via Tailscale).
Tailscale’s free tier is limited to one account. Multiple accounts are provided in their first paid tier at US$5/month. At the risk of sounding like a shill for Nabu Casa, in terms of ‘bang per buck’ Nabu Casa offers more services for the same money (but no free tier). If someone doesn’t need the extra services and is just one user requiring remote access then Tailscale is an inexpensive and secure option.
Note
I have no idea if you can use multiple free Tailscale accounts (one per family member) to access the same system. I’ll take a guess and say “probably not” otherwise why would anyone go with their paid tier.
Do you recall which post? I skimmed through that lengthy thread and recall that was suggested as a possible cause but the hacked user insisted their Samba instance wasn’t facing the Internet.
I remember a few that were that for sure. Lots were people exposing MQTT to the Internet, with no authentication.
This sums it up:
Very true.
Kind of like saying locking your doors and leaving the key under the mat is better than leaving them unlocked. True but only minimally so.
If we go with that metaphor, the key isn’t under the mat but held by either Google, Microsoft, or Okta (whichever one you choose to use with Tailscale) who acts as the “concierge”. If you fail to identity yourself to the concierge, you’re not getting in.
Right.
It’s not like people who willy-nilly open ports on their routers without having any idea why would also have stupidly insecure google password. I mean it’s only email, right?
then they add insult to injury by then using the same insecure google password to completely open their home network to google hackers too thru the VPN.
I second that.
unless the crook pays them off or steals it from them or tricks them into giving them the key.
Nothing is completely secure but having everything under your own control and local is way more secure than trusting any third party.
I think Microsoft and Google encourage the use of good passwords (by rating it as you create it). What I don’t know is if they reject weak passwords (I never tried).
There were instances of UPnP exposing non secured SSH access to the Internet. This is why SSH is no longer activated by default and requires a password to be configured at a minimum.
The problem with VPN access is that VPNs are blocked by many corporate networks. My employer for example blocks both VPN access and dynamic DNS services. Nabu Casa works though.
Coupled with multi factor authentication I’m reasonably confident with the level of security Nabu Casa offers.
That Google transparency list was a bit of a surprise though.