Hi, I’m running Home Assistant with HTTPS set up using my own certification authority. This works great, but I feel uncomfortable that HA is facing the internet secured just with a simple password. It would be great if Home Assistant also supported SSL client certificates for authentication. This will add a strong layer of security.
Currently, the only way of securing HA with client certificates is to use an nginx or Apache reverse proxy, which isn’t that easy to set up, and also adds unnecessary overhead.
The SSL client certificates are supported by all major browsers, including mobile.
client certificates are different from server certificates.
client based certificates will only allow the devices you have the client certificate installed on to be allowed to access. some companies require a client cert to access company email on your personal mobile devices.
It is a decent feature request, but unless HA makes generating the certificate easy it is harder to generate the client certificate with a CA (that you can then add to your list of trusted CAs) than it is to setup NGINX with client certificates (at least in my opinion).
Also, as a general note, I think passwords + fail2ban is secure enough. Monitoring my logs, no one ever actually tries to log into HA, all the scripted attacks are going for my SSH port trying to log in with admin or root. I do use a client cert, but that is just so I don’t have to type passwords all the time on my phone since I setup a fallback to passwords so I can use any PC.
I like this idea as well. It would be awesome if hass generates a root CA and provisions the app with a client cert when connected to the local network (default to rfc1918 addresses) and only allows https with a client cert from the internet (non-rfc1918). In my opinion this would improve security massively. Peronally I’m now using a client VPN to connect to my home network and access hass in that way, but that drains my phone battery unnecessary and is complex to setup. Using the app directly over the internet in a secure way would be very cool.
The password + everything is good enough while the HA has not any 0-day, but after that, e.g. a malformed request can break the security that will not trigger the fail2ban.
I know, there are many smart guys on HA security, but I have more trust in SSL and x509 client auth.
I think this is a great idea. It would improve ha security a lot, especially from zero-day bugs. I definitely want to see this feature in the home assistant in the future.
