Jump to content
C4 Forums | Control4

RyanE's Web Events Driver and SSL/HTTPS


c4007
 Share

Recommended Posts

Hello,

I have been using RyanE's Web Events Driver (http://untestedhacks.com/2013/web-events-driver/#comments) -- and it works great.  Nice and simple.

 

Question -- I would like to use it over a secure HTTP connection (SSL/HTTPS)... would anyone happen to know if this is possible?  and if so, how to configure Control4/Web Events Driver to do so?

 

Thanks

Link to comment
Share on other sites


No, you can't do an SSL connection to that driver, as it's using Server Sockets for communication, which are a Telnet-style connection into the controller.

 

I find it unlikely that I'm ever going to want to implement SSL in Pure Lua.

 

I may be a bit masochistic in drivers, but no one is *that* much of a masochist.

 

:)

 

Sorry.

 

RyanE

Link to comment
Share on other sites

Got it, makes sense (unfortunately).

 

I've built an app which sends commands to Control4 (HC800) from an iPhone (allows you to unlock the house using the fingerprint sensor on the iPhone)... and I'd like the commands to be more 'secure' when not on our home network.  I have a 1024 bit 'key' generated to send along with the command, but of course it's in "clear text" over HTTP and so doesn't help in the case where someone sniffing traffic.  When you're on WiFi at our house you get the benefit of WPA2 encryption, and when you're on the iPhone coming to the house you're on LTE -- and so not a lot of security exposure there.  Still, would prefer to do over SSL.  I suppose I could configure a per-app VPN on the iPhone to our router, but that seems like an overkill and too flaky for multi-times-per-day use.

 

Do you know if there is a way in Control4 / some Driver out there (happy to pay for one) that allows you to send HTTPS/SSL commands to Control4?

 

Thanks

 

Link to comment
Share on other sites

Got it, makes sense (unfortunately).

I've built an app which sends commands to Control4 (HC800) from an iPhone (allows you to unlock the house using the fingerprint sensor on the iPhone)... and I'd like the commands to be more 'secure' when not on our home network. I have a 1024 bit 'key' generated to send along with the command, but of course it's in "clear text" over HTTP and so doesn't help in the case where someone sniffing traffic. When you're on WiFi at our house you get the benefit of WPA2 encryption, and when you're on the iPhone coming to the house you're on LTE -- and so not a lot of security exposure there. Still, would prefer to do over SSL. I suppose I could configure a per-app VPN on the iPhone to our router, but that seems like an overkill and too flaky for multi-times-per-day use.

Do you know if there is a way in Control4 / some Driver out there (happy to pay for one) that allows you to send HTTPS/SSL commands to Control4?

Thanks

So are you port forwarding to make this Internet facing?

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

I haven't found a VPN that is easy to configure on iPhone that is per-app and works reliably.  I am happy to look more into that option though.  Anyone have a recommendation on a solid VPN, and instructions for per-app configuration?  I am using iPhone6 and have a Ubiquity Edge Router Lite router.  Thanks in advance for any pointers.

Link to comment
Share on other sites

You could hash your key with something like the time or even a sequence number, so no replay attack would work, but even so, HTTPS would definitely be better.

 

Unfortunately, I don't know a way currently to do what you're wanting to do (receive HTTPS directly on the controller).

 

You could use a front-end Raspberry Pi or equivalent to receive the HTTPS request, and then pass that on inside the network to the Control4 system, at a pretty minimal cost, although it'd be more setup.

 

Sorry.

 

RyanE

Link to comment
Share on other sites

  • 1 month later...

To help me understand, can you explain why it's terrible? Allowing http commands from outside at port 8080 to hit my controller. It can only do anything if it includes a specific string, and even then I wouldn't have commands to do security things like open doors, locks, etc...

Link to comment
Share on other sites

Port 8080 is what all the script kiddies and scanners check for open ports. You have no authentication on the port. So anyone can send any command in.

I agree risk is minimized by not doing door and alarm stuff but still. Not something I would trust

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Leaving any port that exposes an insecure service is asking for trouble. Opening a common port like 80, 8000, or 8080 is like leaving your front door wide open and then putting a sign on your lawn inviting thieves in.

 

Using a port number in the 50000-65535 range will be marginally better but just delays in inevitable. Bots from around the world are constantly scanning the ports of any IP exposed to the internet, so open ports will be found. All you can do is make sure that the ports you open only expose secure services like SSH (with name & password authentication disabled) or a VPN with strong authentication.

 

Surf around http://www.shodanhq.com/ a bit and you'll be amazed at what that one public search engine finds. Expand that by an order of magnitude for what hackers will find.

Link to comment
Share on other sites

  • 2 years later...

Webevents question - how long do I have to wait before sending multiple events to C4 using the WebEvents driver?

Let's say I hit http://myserver:8080/command1 that does action A on C4 and then http://myserver:8080/command2 that does action B on C4.  Should I be waiting a certain amount of time between sending the two commands?  How long?  Or does this depend on the speed of my controller (an HC-800) and how busy it is at the time.

Link to comment
Share on other sites

Thanks Ryan, either this should be rewritten or other similar drivers return that would take more info or in a more updated fashion.  It would be nice to be able to pass in more info rather than just a command - perhaps a command plus some arguments.

There are a few things around that allow C4 to interface with the outside world - IFTTT Maker driver (which should really be renamed to the IFTTT Webhooks driver since IFTTT has renamed Maker to Webhooks), and a recent Webhooks driver.  It would also be nice to have integration with MQTT.

It would be nice if there was a full REST API but there is the (undocumented) SOAP interface.

Link to comment
Share on other sites

  • 11 months later...


How do you tell Siri what command to send when you say “is my garage closed?”, and how do you parse out the response? Does this require HomeKit? I’m trying to figure out how to leverage Shortcuts to get some Siri interaction with the house...


Sent from my iPhone using Tapatalk
Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...