openHAB Cloud / myopenHAB vs public local openHAB security?

Hey,

Just curious - what is the difference in security between using the built in openHAB local install security (instead of myopenhab / cloud) and the myopenhab / cloud security?

Interesting question and I will try to formulate my understanding why may also not quite correct. So I am happy to receive feedback.

  1. Using myopenhab cloud has the benefit that the local OH Server is only acting as a client when trying to use internet Therefore the user does not have to open ports in his router (convinient and less errorprone) and also the attack surface of a client is much smaller than that of a server. A client will not have to repond to requests going from the internet.
    Operating a server at home is complex. Keeping the security up to date will in most cases overwhelm the capabilties of an unexperienced user.

  2. The myopenhab server can only request information via the rest interface. This is also a security feature because the complexity of such interface is lower in comparision to the interface a server is providing. Thereby the attack surface is reduced. Of course this comes with the price that pages using javascript are not properly displayed when accessing the OH installation via the myopenhab proxy.

  3. Reactions on security incidents can be faster. One only has to patch the server and security can be fixed centrally fast. A bug in decentral servers requires that each user is updating its server. This may take a very long time.

I would add to @Marty56’s excellent summary that if you were to host your own instance of myopenhab it only makes sense if you can do so on some server external to your home network. A lot of people pay ($4 a month seems to be a common amount) Virtual Private Server to host their myopenahb instance. I think at least one person posted about using Amazon’s cloud to host.

If you were to host it on your local network then you are opening yourself up to attack just as you would be by exposing OH using a reverse proxy (to add in authentication).

I’ve just set it up on Amazon Web Services, first year of Ubuntu is free!!! Seems to work, I have only used my test server to connect to it so far, took me about 8 hours, and 1 delete and create new server to start again. I am a Linux Newbie, Beginner, but Win expert, and VERY COMPUTER literate. Still have a little more config to complete, and testing, maybe another 4 hours.

Hmm ok, that kind of answers the question in general terms. So generally it’s assuming that there may be undiscovered exploits in the openHAB codebase and that using myopenHAB adds a layer of separation between yourself and an attacker.

However what I was really asking was what the code / auth / encryption level differences are between using openHAB or myopenHAB to remotely access your home?

I’m tempted to do this myself in the hopes of reducing remote downtime of the house. Lately seems there’s periods of almost every day where
myopenHAB if throwing 503 or 504 errors. Luckily I can access the house components during those times via the individual apps for Wemo, LIFX, wireless tag, black bean, etc.

I have not seen any myopenhab outage for a week now. Seems that the issues are solved.

I recall there used to be a service status page somewhere to view the myopenhab pages, however I can’t recall what the url was

That’s easy :

http://status.openhab.org/

2 Likes