Jump to content
View in the app

A better way to browse. Learn more.
Universal Devices Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Protect /WEB/INDEX.HTM ?

oatflake
in ISY994

Featured Replies

Posted

Hi! Just a secure paranoia question:

 

I noticed that the main /WEB/INDEX.HTM page is *not* http authenticated. The subsequent pages it calls is, but the base level page, if exposed to the internet, exposes that this port hosts the ISY-99i.

 

I would like to know if it's possible to configure the ISY-99i to make sure that even *this* main page (and ideally, even the redirect page in / that points to /WEB/INDEX.HTM) can be password protected to keep people who are snooping for these devices on the internet from attempting more attacks.

 

We don't know of any security exploits now, but I worry that someone may use this information to figure out that I have this device and then narrow their attacking methods.

Hello oatflake,

 

There are very many files in /WEB that should not be password protected otherwise the Admin Console (and UPnP) will not find ISY on the network.

 

Perhaps we can make only INDEX.HTM password protected?

 

With kind regards,

Michel

  • Author
Hello oatflake,

 

There are very many files in /WEB that should not be password protected otherwise the Admin Console (and UPnP) will not find ISY on the network.

 

Perhaps we can make only INDEX.HTM password protected?

 

With kind regards,

Michel

 

Aha, I see - I presume the reason the Admin Console can't handle this is because it doesn't do http auth?

 

One other options I was considering was placing my ISY-99i behind my own SSL proxy like Pound, and setting up my own http authentication such as through haproxy - I actually tried this, but that explains why I couldn't get the Admin Console to work (the normal webpages worked fine).

 

I actually do have a suitable work-around right now; I simply block all access through my firewall and connect to my ISY-99i using an ssh tunnel. It's not ideal because it means I can only access it through a computer that has ssh setup, and I really like using my android phone web browser to check in on things.

 

I guess for now protecting INDEX.HTM is probably the simplest thing. Does that require a firmware update, or is there a way I can tweak the settings myself?

Hello oatflake,

 

No, Admin Console does HTTP auth. The problem is when you are searching for ISY, you may NOT already know the credentials (that's how all discovery protocols are designed) and thus a few of those files in /WEB should be generic.

 

We'll see what we can do to password protect index.

 

With kind regards,

Michel

  • Author

That sounds great, thanks!

Guest
This topic is now closed to further replies.
Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.