more G-Labs products

Author Topic: HG webpage authentication / security / password  (Read 2476 times)

January 11, 2016, 02:43:17 PM
Read 2476 times

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
I have been running with no password for a while since it was so problematic to login from mobile devices.  The username/password popup repeatedly pops up making it difficult to type/cancel or switch to a new tab.  This is somewhat intermittent.  On chrome, is okay first login, but after switching apps and coming back to browser it happens.

Also it was reported that with a little hacking the HG password could be found by anyone on internet anyway (assuming HG is visible out of house which I would thing lots of people want to do!).  I can't find this forum topic now.

Anyway, I recently tried setting a password again because I really would like some protection here!!!! (even though I don't have any smart locks that would allow entry).  I have gotten repeated pop ups on windows 7 chrome now too :-(

Please implement some changes:
(1) option to not use a popup for the username/password, type in main browser window instead (or figure out why so many popups happen)
(2) option to change username from admin to something else since that is a very common username.  Actually I see Username is in systemconfig.xml so I will have to try manually changing it there
(3) option to only require password outside local network
(4) please close hole that allows internet to find/decode HG password
(5) there was some discussion of secure https maybe to add a level of security to HG.  I see that the HG+ app has a option for SSL but it doesn't connect when I select it.  Please implement something within HG that doesn't require another device/service/nginx(???)

Thanks!!!





January 11, 2016, 04:38:55 PM
Reply #1

Gene

  • *****
  • Information
  • Administrator
  • Posts: 1472
  • Tangible is the future!
    • Yet Another Programmer
I've not been able to reproduce the "repeated login prompt" issue on none of my browsers (desktop, tablet, phone - chrome, firefox, ie).
If you can tell exactly what configuration I need to reproduce the issue I will look into this.

HG is not carrying out any serious security protection since there are much more professional tools that can guarantee this. It's their business and they do a great job by focusing on the security matter.

Just think about the fact that even wireless routers are very vulnerable and hackable. So protecting your intranet is something that have to be achieved by known exactly the matter and taking all the precautions/protections as needed.

Anyhow I don't see any way of getting to know HG password, unless you get access to a configuration backup file. Still not a newbie stuff to decrypt password in it.
The only thing we can work on, is to improve password protection whenever it result to be a weak point. Just let me know how to crack and I will try to make it better.

For the other requests I'll think of them and try to implement these at some point.

Cheers,
g.
 



January 11, 2016, 08:16:45 PM
Reply #2

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
Okay, thank you for the feedback.  Not sure what could be causing the differences then :-(  I'm typically running latest chrome on android/ios/win7.  I just noticed my desktop bookmark URL had the old password, so maybe that was causing the recent only trouble on desktop.

This discussion showed how to get the password.  I thought I had duplicated on my HG but I am not 100% sure of that now...
http://www.homegenie.it/forum/index.php?topic=990.msg6227#msg6227

January 11, 2016, 08:33:22 PM
Reply #3

Gene

  • *****
  • Information
  • Administrator
  • Posts: 1472
  • Tangible is the future!
    • Yet Another Programmer
This is how Basic HTTP authentication works. It's just base64-encoded. So if you connect over the internet anyone in between the client and your local network could sniff and decode the password. Thus it's safe to put an SSL relay between HG and the internet to ensure at least that all traffic between client and hg is encrypted.

Cheers,
g.


January 11, 2016, 08:59:53 PM
Reply #4

dani

  • *****
  • Information
  • Global Moderator
  • Posts: 535
GĂȘne,
Is raspberry with HG can support a SSL encoder ? Or it's nécessaire to add an external server ?

January 11, 2016, 09:53:02 PM
Reply #5

Gene

  • *****
  • Information
  • Administrator
  • Posts: 1472
  • Tangible is the future!
    • Yet Another Programmer
I would suggest stunnell. It will work for most systems, also for raspberry pi.

January 12, 2016, 12:36:29 AM
Reply #6

saue0

  • **
  • Information
  • Jr. Member
  • Posts: 40
I did it with apache2 proxy. (all on PI 2)
Here is my virtual host config.
My certificat is from LetsEncrypt and is free and valid.

ServerName xxxxx.ca
ServerAdmin [email protected]

SSLProxyEngine On
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/xxxx.ca/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxxx.ca/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/xxxxx.ca/chain.pem
SSLProtocol +TLSv1

ProxyRequests off
ProxyPreserveHost On

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

ErrorLog "${APACHE_LOG_DIR}/error.log"

January 12, 2016, 03:26:58 PM
Reply #7

[email protected]

  • *****
  • Information
  • Hero Member
  • Posts: 271
I've just sorted out using NGINX and used letsencrypt for providing the certificates..

I have also configured basic auth for some IP's / URLS and left some un-restricted so that I can call Homegenie from IFTTT..

I  will post the config and some instructions up in the next day or so:)

David

January 12, 2016, 04:12:50 PM
Reply #8

dani

  • *****
  • Information
  • Global Moderator
  • Posts: 535
Thank's per advance David. I want introduce SSL to my home external access.

January 14, 2016, 10:07:53 PM
Reply #9

[email protected]

  • *****
  • Information
  • Hero Member
  • Posts: 271

January 14, 2016, 11:31:28 PM
Reply #10

amselem

  • **
  • Information
  • Jr. Member
  • Posts: 25
Hi Gene,
I can repro the  "repeated login prompt" issue. I'm using Ms Edge / Windows 10 desktop.
I have checked the "restore opened tabs" options in Edge.
To repro I login to Homegenie and propmts me user/pass once. If I close the browser and reopen it, Edge restores the HG tab but it keeps prompting me user/pass again and again.

I suspect that the same issue occurs in other circunstances, for example when the HG tab is opened in the browser but I'm not using for a long time and then I click the tab. It looks like the browser has archived the tab in memory and the HG auth doesn't like to be restored.

I think I've seen the very same issue in Windows 10 mobile.

I don't blame Edge because other basic auth pages can be restored withouth this issue (for example the router config)

Thank you!
Jacobo