Disable HTTP for remote connection

To improve the security of the app, starting with 2.10.4-beta it won’t be possible to enter http urls in the remote connection url preference, only https.
Previously configured urls keep working.

1 Like

So, you are also checking the ssl certificate so we are required to have a valid one? If not, you have not increased security if the app is only accessing OH when on the local network.

Yes. The certificate either must be signed by a CA whose certificate is installed in Android, or you must acknowledge it on first use.

Please note the change is about the remote connection, not the local one. For the latter, there is no change.

This does increase the security. If you check the fingerprint of the certificate, it offers the same security than a ca-signed certificate. If you don’t check the fingerprint, it’s “the attacker must intercept the connection at the first time to client connects to the server” (when accepting a self-signed cert) vs “User name and password are always transmitted in clear text” (when using http).

Further reading: https://en.wikipedia.org/wiki/Trust_on_first_use