Beyond nicer IFTTT integration, what’s the main benefit of my.openhab if you can just use DDNS? Is it more secure?
It provides a good way of connecting to your system through a valid HTTPS (SSL/TLS). Very useful for people who worry about security but can’t produce/host certificates themselves.
1 Like
Good point. However wondering if this latest outage is due to this SSL cert changeover thing.
I’m running (have always been running) 1.8 (build 1.98.0_91b14, headless), which sounds to be an acceptable version, and I’m still seeing my.openhab.org/openhab.app as offline for about 11 hours now.
Well, it’s not a typical outage. We just had no idea Oracle is so slow in updating their keystore cause letsencrypt.org is already on the market for some time.
Mine started working after I upgraded jdk1.8.0_101.
Hi, I was running 1.8 too, however, updating to the latest did fix it (after rebooting the whole system).
Ech, OK will try to hunt down an update for this java (from memory headless SE embedded manually installed). Restart didn’t help, though presently still running u91
Yep, that fixed it (u101). Cheers (and shame on Oracle)
Beyond the discussion about the problem with the letsencrypt cert which caused the current outage, I’ll answer some of your direct questions.
YES, my.openhab is more secure than opening a port on your firewall and setting up dyndns. The authorization and authentication built into my.openhab is much stronger than the basic auth built into openHAB itself. Also, unless you get your own cert from someone like letsencrypt, the browsers will complain about the connection being untrusted and you have to turn off cert checking entirely in the android and iOS apps. This eliminates one of the major benefits of TLS which is getting some sort of proof that you are talking with your server and not some intermediate server man-in-the-middle.
The my.openhab are presumably monitored much more closely for attempted breaches and attacks than you are likely to do on your own server. So if there is a breach it will be discovered more quickly and patched than you are likely able to achieve. And assuming my.openhab does get fully pwned, the hackers will have a much more limited ability to move laterally into your personal systems and do things like steal your personal information, install a cryptolocker, and otherwise run amok.
Unless you are willing to take on the cost and effort to fully secure your internet facing machine (STIG, deny by default firewall rules, SELinux policies, constant monitoring and auditing, isolating your HA network from your personal network) it is far more secure to use my.openhab.
NOTE: This doesn’t mean you shouldn’t be doing the above anyway, not even my.openhab is full proof protection and there are frankly lots of bad stuff that can get in through your HA devices, particularly the cloud based ones.
To make the above a little more concrete. There are search engines out there that allow researchers and hackers to search for computers with certain open ports and certain services running. If you expose openHAB to the internet through DDNS you will end up in these search engines.
Now let’s say someone manages to discover a flaw in openHAB that lets them break out of the server and execute code on the host machine. Now all they need to do is run quick query in one of these search engines and bam, you’ve just become a target by someone who has a proven way to break into your system. You can’t hide behind the “I’m just little old me, who would want to hack me?” because all the hackers need is to match an exploit with an IP for you to become a target. They will figure out what they can gain from you after they crack into your system (ID theft, blackmail, ransom, botnet, etc.).
2 Likes