Haiku Security of Web Interface

[homeauto602]

I'm curious about the security that underlies the web interface since it doesn't seem to require a user code to arm/disarm the system.
 
Assuming I'm using a secure password, what sort of security is the web interface based on, and does Nullriver specifically recommend against having a publicly accessible web interface?

 

[lupinglade]

We use Digest authentication with nonce, so the password is required to be able to issue commands. It is however possible to snoop on the connection and view data transmitted, but not the password. You should be OK to use it over the Internet, provided you don't mind the data being sent unencrypted. Since the data is usually fairly generic, ie. just names of rooms, lights, etc. it should not be a major security issue. We had to stop using SSL because WebSockets did not work properly over it. We plan to re-enable SSL support in the future, once WebSocket implementations properly support it.

 

[homeauto602]

Thanks for the response.
 
From an installer/dealer standpoint, a strong commitment to standardized security protocols is absolutely imperative. Your software is good software, and I know there are a lot of DIYers out there who love it.
 
But if I'm selling it as part of a system, I need a hell of a lot more assurance than "it should not be a major security issue."

 

[lupinglade]

You can always run in on the LAN. If you want to access it over the Internet... nothing is 100% secure on the Internet. That is a fact. We offer the most security that is currently possible, until we are able to switch to SSL encryption. However all that you are losing without SSL encryption is just the text labels/events being transferred. There is no ability to control the system w/o having the password. It would also be quite challenging to pick up the data, as someone would have to be either on your LAN sniffing it or on the network that HaikuHelper is running on. In the end its always up to the installer and user to decide what services they want to expose to the Internet and to what degree. Exposing anything to the Internet always has inherent risk.

 

[ano]

If you are running it on a Mac Server, which is a small upgrade to Mac software, you can turn on the VPN software which is supported by both iPads and iPhones.  This provides encryption outside of Haiku so it doesn't matter much is Haiku is encrypted or not. The downside is it adds an extra step when you connect and you have to turn on the VPN before you use Haiki.  But VPN encryption is about the best you can get and it protects all your traffic over the Internet.