Being a little bored today I browsed a bit though shodan to have a look at how serious people take their security. Fortunately I couldn’t access any HA’s directly from the few I’ve tested.
I did however stuble upon some MQTT brokers that are accessible without authentication. This might be on purpose, but probably not.
What came to my mind then was that it could be nice to detect possibly insecure setups with components where this makes sense. Taking MQTT as an example, if the setup of the platform notices that no login-credentials are in the config, then a persistent notification could be displayed. Given that the broker could be local only where authentication would not provide any benefit, this notification-behaviour could be deactivated actively with some extra-parameter (like iknowwhatimdoing: true) in the component-configuration.
What I intend to achieve here would be a discussion on if this is someting others find useful as well, and maybe how this should be implemented so it’s equal across the targetet components. And of course maybe collect components that would benefit from such a mechanism.