https access to SHAC

Discussion in 'C-Bus Automation Controllers' started by philthedill, May 20, 2020.

  1. philthedill

    philthedill

    Joined:
    Mar 21, 2010
    Messages:
    22
    Likes Received:
    0
    Location:
    Melbourne
    I am having issues setting up secure remote or local access to SHAC and cannot see any instructions anywhere. I can connect remotely via chrome via port 443 but it says it is not secure. any ideas?
     
    philthedill, May 20, 2020
    #1
    1. Advertisements

  2. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    212
    Likes Received:
    23
    Location:
    Perth
    you would need a valid signed certificate on the server from a certified provider. Then google will let you thru without the prompt. Unless you get this u have to click the advanced dialog EVERY time.
     
    chromus, May 20, 2020
    #2
    1. Advertisements

  3. philthedill

    philthedill

    Joined:
    Mar 21, 2010
    Messages:
    22
    Likes Received:
    0
    Location:
    Melbourne
    are you referring to the FTP server? I am in unchartered waters with some of this.
     
    philthedill, May 21, 2020
    #3
  4. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    212
    Likes Received:
    23
    Location:
    Perth
    https needs a certificate, if u don’t have a certificate no point trying to use it.
     
    chromus, May 21, 2020
    #4
  5. philthedill

    Peter_L

    Joined:
    Oct 26, 2004
    Messages:
    10
    Likes Received:
    0
    Location:
    Adelaide
    For a secure connection all you need to do is use https:// not http:// in the browser address line and all your information between your browser and SHAC will be encrypted.

    "Not secure connection" message is because the SHAC generates self-signs certificates, rather than using a certificate from a trusted provider and therefore browser can not verify that the SHAC you have connected to is the SHAC at your home and not a clone somewhere on the internet claiming to be your SHAC.

    A "secure connection" uses a signed certificate, issued by a trusted provider which allows the browser to confirm that server you are connecting to holds the private key issued by a trusted provider (and has not been reported compromised) and therefore the identity of the server as claimed by the certificate should be trusted. (this is why you should never share a private key)

    So why does Schenider not provide signed certificates, simply because you can only get a signed certificate for a domain, so to provide a signed certificate, all SHACs will have to belong to the same domain through something like ... a cloud portal ….

    For most residential installs the risk that someone will go to the effort to create a clone and trick you to log in to their server is low but if this is a concern to get a signed certificate
    1) Best to have a static IP address for you home
    2) buy a domain and add DNS entry for your IP to port 443 to the domain
    3) purchase a signed certificate from a certificate provider for you domain
    4) install the certificate and private key into the SHAC (System->Services->HTTPS SSL Certificate)

    However, if you are concerned about cyber risks then using port forwarding through your modem is a bigger risk to your cybersecurity then unsigned certificates
     
    Peter_L, Jun 2, 2020 at 4:11 PM
    #5
  6. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    212
    Likes Received:
    23
    Location:
    Perth
    The bare minimum is $75 a year or a certificate, unless your client is a big business with a need and the funds you would be far better off setting up (or having an appropriate tech do it ) an LT2P VPN then the network isn't sitting with a bunch of open ports.

    SSL certificates have to be renewed and if your provider lets you down and they expire its a world of hurt. I used to work for a major telco and even as a signing provider it took us 48hours to get the new certificate installed and for the credentials to come online.
     
    chromus, Jun 2, 2020 at 11:04 PM
    #6
  7. philthedill

    philthedill

    Joined:
    Mar 21, 2010
    Messages:
    22
    Likes Received:
    0
    Location:
    Melbourne
    thanks for your help Peter_L and chromus. I think I'll stick with the http approach which is working fine. albeit, someone might intercepts some CBus traffic???
     
    philthedill, Jun 4, 2020 at 4:29 AM
    #7
  8. philthedill

    chromus

    Joined:
    Jan 27, 2014
    Messages:
    212
    Likes Received:
    23
    Location:
    Perth
    Only if you leave the port open which is poor practice anyway. Ideally you would be connecting over VPN and not exposing ports anyway.
     
    chromus, Jun 4, 2020 at 12:21 PM
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.