Basic security and certificate questions

[tim2u]

I’ve got several certificate questions that I’ve tried to research in the forums and wikis, but still find confusing. With the following background info, could someone help me with a few questions:

I have an obscure port on my router opened and forwarded to my isy’s internal ip address (and port 443).   I have not imported/created any type of certificates.  I also have followed portal install instructions as I recently started using the portal (love it!!!)  My basic client/server certificate settings are shown as attached.

1)      When I connect to my isy via mobilinc on my phone’s cellular network using the routers port forwarded to my isy, is my connection secure (username password encrypted)?  I have always assumed so due to using the 443 port of the isy.  If not, do I need to set up certificates in this case?  If so, what are basic steps (details not needed, but assuming it would be server certificate)

 

2)      I would like to connect tasker directly to my isy (via router port forwarding) or the isy portal.  I’ve seen the wiki on doing so, but you have to pass username/pwd in query string to either.  Is either secure without messing with certificates?  Again, both would be making connections via https, so I would think so.  If not secure, how could I make my tasker to portal connection more secure?

 

3)      If I need to set up a server certificate on my isy, I would prefer to use a self-signed one (no $$$).  Once doing so, I am assuming any pc on my network will still connect except I will then get cert errors (until I import cert into trusted root certificate authorites).  Is this the case?  My concern is screwing up the certificate process and ultimately nothing be able to connect to my isy (via admin console/dashboard/etc.)

The reasons for these questions, is that ultimately, I’d like to close the port on my router going to my isy, and use tasker/agave to control my isy using the isy portal (when outside my home network).  But I’m not thrilled about passing username/password in query string to portal with the tasker integration.  But if secure, I’m ok with it. 

Thanks in advance.  Apologies if these are simple/basic questions, but my certificate knowledge has always been cloudy.

[KeviNH]

The ISY normally accepts only encrypted traffic on port 443, this mens the protocol is TLS (SSL, with https:// URLs), and the entire URL and any content is encrypted in transit (unless somebody in the middle is doing something nasty).  This includes the username and password.
 
While the "query string" may show the user and password, usually it is parsed by the app and sent obfuscated in a header.  Either way, with TLS, the full URL is not exposed in transit, but may be readable by anybody who can see you screen or access the app's configuration settings (e.g. Apple, your employer, etc).
 

If I need to set up a server certificate on my isy, I would prefer to use a self-signed one (no $$$).  Once doing so, I am assuming any pc on my network will still connect except I will then get cert errors (until I import cert into trusted root certificate authorites).  Is this the case?  My concern is screwing up the certificate process and ultimately nothing be able to connect to my isy (via admin console/dashboard/etc.)

While it's kind of a headache to do with ISY994, you could use the Free LetsEncrypt certificates instead of self-signed. 

 

Adding a certificate is low-risk, just don't set the "Verify" checkbox (see the security guide for details)

[MWareman]

Self signed certificates are never secure from mitm proxies - and usernames and passwords can easily be intercepted if the network you are connected to has dpi on their network.

 

Unless the app does SSL pinning, which I don’t think MobiLinc does.

 

The only way around that is a paid, trusted certificate.

 

Cheapest I’ve found is $15/year... http://www.garrisonhost.com/ssl-certificates/alphassl.html

 

There is also a free option (Lets Encrypt), but the Certs are only valid for 90 days. You would have to renew manually because the ISY does not have the Lets Encrypt client renewal agent on board.

[KeviNH]

My day job includes installing DPI and proxy hardware, including TLS MITM Proxies.   With only DPI, the eavesdropper can only intercept usernames, passwords and URLs for unencrypted traffic (e.g. http);  They need to add on a MITM proxy to see this level of detail for encrypted traffic (e.g. https or another TLS/SSL protocol).

 

Self signed certificates are never secure from mitm proxies - and usernames and passwords can easily be intercepted if the network you are connected to has dpi on their network.

 

Unless the app does SSL pinning, which I don’t think MobiLinc does.   The only way around that is a paid, trusted certificate.

 

For personal and other small-scale use, self-signed (or better yet, private-CA) certificates can be just as secure as expensive certificates, when done right.

• Most mobile devices and computers allow you to import your private-CA or self-signed public key.  Do this before you connect the first time, and self-signed is no worse off than any other certificate. 
• Next, require client certificates for real protection against MITM proxies   (Not all client apps support using a client certificate).   The ISY994 supports client certificates. I doubt Mobilinc does, and I believe at least some parts of Tasker have experimental support for client certs.

This approach actually works great for personal use, but is difficult to scale up to a service that you want to offer to many different users on many different computers, as each computer would require manually importing both keys before it can be used securely. 

 

 

 

2)      I would like to connect tasker directly to my isy (via router port forwarding) or the isy portal.  I’ve seen the wiki on doing so, but you have to pass username/pwd in query string to either.  Is either secure without messing with certificates?  Again, both would be making connections via https, so I would think so.  If not secure, how could I make my tasker to portal connection more secure?

 

3)      If I need to set up a server certificate on my isy, I would prefer to use a self-signed one (no $$$).  Once doing so, I am assuming any pc on my network will still connect except I will then get cert errors (until I import cert into trusted root certificate authorites)

 

The reasons for these questions, is that ultimately, I’d like to close the port on my router going to my isy, and use tasker/agave to control my isy using the isy portal (when outside my home network).  But I’m not thrilled about passing username/password in query string to portal with the tasker integration.

 

 

When using the ISY portal, you have a whole different set of risks to consider, especially when looking at how to "make my tasker to portal connection more secure".