https access to SHAC

I am having issues setting up secure remote or local access to SHAC and cannot see any instructions anywhere. I can connect remotely via chrome via port 443 but it says it is not secure. any ideas?

 

you would need a valid signed certificate on the server from a certified provider. Then google will let you thru without the prompt. Unless you get this u have to click the advanced dialog EVERY time.

 

are you referring to the FTP server? I am in unchartered waters with some of this.

 

https needs a certificate, if u don’t have a certificate no point trying to use it.

 

For a secure connection all you need to do is use https:// not http:// in the browser address line and all your information between your browser and SHAC will be encrypted.

"Not secure connection" message is because the SHAC generates self-signs certificates, rather than using a certificate from a trusted provider and therefore browser can not verify that the SHAC you have connected to is the SHAC at your home and not a clone somewhere on the internet claiming to be your SHAC.

A "secure connection" uses a signed certificate, issued by a trusted provider which allows the browser to confirm that server you are connecting to holds the private key issued by a trusted provider (and has not been reported compromised) and therefore the identity of the server as claimed by the certificate should be trusted. (this is why you should never share a private key)

So why does Schenider not provide signed certificates, simply because you can only get a signed certificate for a domain, so to provide a signed certificate, all SHACs will have to belong to the same domain through something like ... a cloud portal ….

For most residential installs the risk that someone will go to the effort to create a clone and trick you to log in to their server is low but if this is a concern to get a signed certificate
1) Best to have a static IP address for you home
2) buy a domain and add DNS entry for your IP to port 443 to the domain
3) purchase a signed certificate from a certificate provider for you domain
4) install the certificate and private key into the SHAC (System->Services->HTTPS SSL Certificate)

However, if you are concerned about cyber risks then using port forwarding through your modem is a bigger risk to your cybersecurity then unsigned certificates

 

The bare minimum is $75 a year or a certificate, unless your client is a big business with a need and the funds you would be far better off setting up (or having an appropriate tech do it ) an LT2P VPN then the network isn't sitting with a bunch of open ports.

SSL certificates have to be renewed and if your provider lets you down and they expire its a world of hurt. I used to work for a major telco and even as a signing provider it took us 48hours to get the new certificate installed and for the credentials to come online.

 

thanks for your help Peter_L and chromus. I think I'll stick with the http approach which is working fine. albeit, someone might intercepts some CBus traffic???

 

Only if you leave the port open which is poor practice anyway. Ideally you would be connecting over VPN and not exposing ports anyway.