https access to SHAC

Discussion in 'C-Bus Automation Controllers' started by philthedill, May 20, 2020.

  1. philthedill

    philthedill

    Joined:
    Mar 21, 2010
    Messages:
    74
    Likes Received:
    0
    Location:
    Melbourne
    I am having issues setting up secure remote or local access to SHAC and cannot see any instructions anywhere. I can connect remotely via chrome via port 443 but it says it is not secure. any ideas?
     
    philthedill, May 20, 2020
    #1
    1. Advertisements

  2. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    386
    Likes Received:
    47
    Location:
    Perth
    you would need a valid signed certificate on the server from a certified provider. Then google will let you thru without the prompt. Unless you get this u have to click the advanced dialog EVERY time.
     
    chromus, May 20, 2020
    #2
    1. Advertisements

  3. philthedill

    philthedill

    Joined:
    Mar 21, 2010
    Messages:
    74
    Likes Received:
    0
    Location:
    Melbourne
    are you referring to the FTP server? I am in unchartered waters with some of this.
     
    philthedill, May 21, 2020
    #3
  4. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    386
    Likes Received:
    47
    Location:
    Perth
    https needs a certificate, if u don’t have a certificate no point trying to use it.
     
    chromus, May 21, 2020
    #4
  5. philthedill

    Peter_L

    Joined:
    Oct 26, 2004
    Messages:
    11
    Likes Received:
    0
    Location:
    Adelaide
    For a secure connection all you need to do is use https:// not http:// in the browser address line and all your information between your browser and SHAC will be encrypted.

    "Not secure connection" message is because the SHAC generates self-signs certificates, rather than using a certificate from a trusted provider and therefore browser can not verify that the SHAC you have connected to is the SHAC at your home and not a clone somewhere on the internet claiming to be your SHAC.

    A "secure connection" uses a signed certificate, issued by a trusted provider which allows the browser to confirm that server you are connecting to holds the private key issued by a trusted provider (and has not been reported compromised) and therefore the identity of the server as claimed by the certificate should be trusted. (this is why you should never share a private key)

    So why does Schenider not provide signed certificates, simply because you can only get a signed certificate for a domain, so to provide a signed certificate, all SHACs will have to belong to the same domain through something like ... a cloud portal ….

    For most residential installs the risk that someone will go to the effort to create a clone and trick you to log in to their server is low but if this is a concern to get a signed certificate
    1) Best to have a static IP address for you home
    2) buy a domain and add DNS entry for your IP to port 443 to the domain
    3) purchase a signed certificate from a certificate provider for you domain
    4) install the certificate and private key into the SHAC (System->Services->HTTPS SSL Certificate)

    However, if you are concerned about cyber risks then using port forwarding through your modem is a bigger risk to your cybersecurity then unsigned certificates
     
    Peter_L, Jun 2, 2020
    #5
  6. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    386
    Likes Received:
    47
    Location:
    Perth
    The bare minimum is $75 a year or a certificate, unless your client is a big business with a need and the funds you would be far better off setting up (or having an appropriate tech do it ) an LT2P VPN then the network isn't sitting with a bunch of open ports.

    SSL certificates have to be renewed and if your provider lets you down and they expire its a world of hurt. I used to work for a major telco and even as a signing provider it took us 48hours to get the new certificate installed and for the credentials to come online.
     
    chromus, Jun 2, 2020
    #6
  7. philthedill

    philthedill

    Joined:
    Mar 21, 2010
    Messages:
    74
    Likes Received:
    0
    Location:
    Melbourne
    thanks for your help Peter_L and chromus. I think I'll stick with the http approach which is working fine. albeit, someone might intercepts some CBus traffic???
     
    philthedill, Jun 4, 2020
    #7
  8. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    386
    Likes Received:
    47
    Location:
    Perth
    Only if you leave the port open which is poor practice anyway. Ideally you would be connecting over VPN and not exposing ports anyway.
     
    chromus, Jun 4, 2020
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.