To improve the security of the app, starting with 2.10.4-beta it won’t be possible to enter http urls in the remote connection url preference, only https.
Previously configured urls keep working.
1 Like
So, you are also checking the ssl certificate so we are required to have a valid one? If not, you have not increased security if the app is only accessing OH when on the local network.
Yes. The certificate either must be signed by a CA whose certificate is installed in Android, or you must acknowledge it on first use.
Please note the change is about the remote connection, not the local one. For the latter, there is no change.
This does increase the security. If you check the fingerprint of the certificate, it offers the same security than a ca-signed certificate. If you don’t check the fingerprint, it’s “the attacker must intercept the connection at the first time to client connects to the server” (when accepting a self-signed cert) vs “User name and password are always transmitted in clear text” (when using http).
Further reading: Trust on first use - Wikipedia
Could you please make this configurable?
It could still default to https, but it should be possible to use remote http, perhaps with a disclaimer?
Why ? This is 4 years after introduction and it looks like noone else has a use case for this.
What is your use case and your setup ?
I have waited these 4 years for the ability to add 3 other sites I manage using http. (via nginx w/user/passw), hoping it would be made an option.
Using the app is better than using a browser shortcut, which I have done up to now.
My main system is reachable remotely from the app just because it was setup prior to this https enforcement.
I feel the choice should be left to the user. The risk is also minimal using a non-standard port and even if someone should hack it, the damage to a system with no lock control would be minimal.
That is not correct. It is the same risk as using standard port. It only prevents attacks of users that only try to attack standard ports. Have a look at shodan.io and you will find all open ports independent if a service is running on a standard or on on standard port.
Then you can add a certificate in your nginx setup enabling the use of https.
1 Like
I understand, but still feel this should be the users choice to opt out.
It’s a client after all, and should not enforce a server side security issue.