giesen Posted August 14, 2013 Posted August 14, 2013 Hi giesen, Yes we can but even that requires development. I am concerned that SSL is taking too long. It should NOT if the client (i.e. eKeypad) uses session resume. It should only take 10 second on the initial connection. The rest should be just a little longer than http (still less than a second). With kind regards, Michel Michel, It does seem to reuse the session if I keep the application in the foreground. Once it launches (and waits about 10-15 seconds to connect to the ISY), it takes about a second to turn on a device. The problem is, as soon as you switch to another app or the phone goes to sleep, it's takes another 10-15 seconds to connect again. Not sure if this is a poor implementation on the part of eKeypad or if it's a limitation of the iOS multitasking API (I suspect the latter), but with HTTP it's nearly instantaneous to load and then control. Hence my suggestion of implementing HTTP Digest authentication. It wouldn't require a rewrite of your access control model, just the implementation of the digest mechanism. Still not a trivial task I'm sure, but hopefully a lot easier than some of the other (worthy) suggestions. Another alternative would be to implement support for multiple users, so I could assign a different user for each device using the REST API, and at least if one is compromised I just reset the password for that one device. Kind of a backdoor way of implementing API keys.
Michel Kohanim Posted August 15, 2013 Posted August 15, 2013 Hi Alan, Session resumption is a feature of TLS that basically reuses the negotiated keys across multiple connections so that you would not have to incur the cost of negotiating keys (10 seconds) on every connection. Hi giesen, Understood and you are correct on both counts. We do have multi-user requirement on our plate AND we do have plans for a security enhancement release. So, at least there's hope! With kind regards, Michel
bTwix Posted December 25, 2013 Author Posted December 25, 2013 Hi Michel, >> Adding a simply boolean at /USER/WEB is easy. Is this in the current firmware? I'm still looking to host my remote.htm on ISY with anon access for all /USER/WEB, so I can ditch my windows server. Hope you're having a good holiday! Cheers, Phil
bsobel Posted December 25, 2013 Posted December 25, 2013 Hi Michel, >> Adding a simply boolean at /USER/WEB is easy. Is this in the current firmware? I'm still looking to host my remote.htm on ISY with anon access for all /USER/WEB, so I can ditch my windows server. Hope you're having a good holiday! Cheers, Phil You might want to consider a raspberry pi and throwing a reverse proxy on that, very lower power and I find them great companions to my ISY (I use them to filter and send alerts, manage my sonos, hue, etc tied to my ISY's) Bill
Michel Kohanim Posted December 26, 2013 Posted December 26, 2013 Hi Phil, We do have plans to include such features in our 5.0 framework next year. With kind regards, Michel
bTwix Posted December 26, 2013 Author Posted December 26, 2013 >> raspberry pi Thanks, Bill. Will look into that. >> We do have plans to include such features in our 5.0 framework next year. Awesome, looking forward to that drop.
bTwix Posted January 3, 2014 Author Posted January 3, 2014 Bill, The Raspberry Pi front-end is working great for hosting my remote/proxy on top of ISY. Loaded Apache and did a simple Python proxy to inject the creds. Thanks again for the suggestion. I'm going to get this kit for my brother's kids to play with as well. Very cool stuff! Cheers
Recommended Posts