RyanE's Web Events Driver and SSL/HTTPS

[c4007]

Hello,

I have been using RyanE's Web Events Driver (http://untestedhacks.com/2013/web-events-driver/#comments) -- and it works great.  Nice and simple.

 

Question -- I would like to use it over a secure HTTP connection (SSL/HTTPS)... would anyone happen to know if this is possible?  and if so, how to configure Control4/Web Events Driver to do so?

 

Thanks

[RyanE]

No, you can't do an SSL connection to that driver, as it's using Server Sockets for communication, which are a Telnet-style connection into the controller.

 

I find it unlikely that I'm ever going to want to implement SSL in Pure Lua.

 

I may be a bit masochistic in drivers, but no one is *that* much of a masochist.

 

 

Sorry.

 

RyanE

[chesterwilson]

Where is the composer pro *hack*

[c4007]

Got it, makes sense (unfortunately).

 

I've built an app which sends commands to Control4 (HC800) from an iPhone (allows you to unlock the house using the fingerprint sensor on the iPhone)... and I'd like the commands to be more 'secure' when not on our home network.  I have a 1024 bit 'key' generated to send along with the command, but of course it's in "clear text" over HTTP and so doesn't help in the case where someone sniffing traffic.  When you're on WiFi at our house you get the benefit of WPA2 encryption, and when you're on the iPhone coming to the house you're on LTE -- and so not a lot of security exposure there.  Still, would prefer to do over SSL.  I suppose I could configure a per-app VPN on the iPhone to our router, but that seems like an overkill and too flaky for multi-times-per-day use.

 

Do you know if there is a way in Control4 / some Driver out there (happy to pay for one) that allows you to send HTTPS/SSL commands to Control4?

 

Thanks

 

[msgreenf]

Got it, makes sense (unfortunately).

I've built an app which sends commands to Control4 (HC800) from an iPhone (allows you to unlock the house using the fingerprint sensor on the iPhone)... and I'd like the commands to be more 'secure' when not on our home network. I have a 1024 bit 'key' generated to send along with the command, but of course it's in "clear text" over HTTP and so doesn't help in the case where someone sniffing traffic. When you're on WiFi at our house you get the benefit of WPA2 encryption, and when you're on the iPhone coming to the house you're on LTE -- and so not a lot of security exposure there. Still, would prefer to do over SSL. I suppose I could configure a per-app VPN on the iPhone to our router, but that seems like an overkill and too flaky for multi-times-per-day use.

Do you know if there is a way in Control4 / some Driver out there (happy to pay for one) that allows you to send HTTPS/SSL commands to Control4?

Thanks

So are you port forwarding to make this Internet facing?

Sent from my iPhone using Tapatalk

[c4007]

Currently, yes -- port forwarding on Router (no need to open up Port:5020 for Control4, just custom Port for "Web Events Driver" -- and simple 'parser' in Control4 script to ensure only valid commands+key are processed).

 

[LSDave]

Why not use a vpn on your phone?

[c4007]

I haven't found a VPN that is easy to configure on iPhone that is per-app and works reliably.  I am happy to look more into that option though.  Anyone have a recommendation on a solid VPN, and instructions for per-app configuration?  I am using iPhone6 and have a Ubiquity Edge Router Lite router.  Thanks in advance for any pointers.

[RyanE]

You could hash your key with something like the time or even a sequence number, so no replay attack would work, but even so, HTTPS would definitely be better.

 

Unfortunately, I don't know a way currently to do what you're wanting to do (receive HTTPS directly on the controller).

 

You could use a front-end Raspberry Pi or equivalent to receive the HTTPS request, and then pass that on inside the network to the Control4 system, at a pretty minimal cost, although it'd be more setup.

 

Sorry.

 

RyanE

[ILoveC4]

I've always been down on port forwarding, but is there any fear in forwarding PORT 8080?

[Cyknight]

!!!! It's one of the worst to forward!

Unless you're hosting a web-site (and have all the associated security for it in place) keep that thing closed off!

[ILoveC4]

!!!! It's one of the worst to forward!

Unless you're hosting a web-site (and have all the associated security for it in place) keep that thing closed off!

Are you bring serious Cyknight? I thought this port was safe as it's kind of a "dummy" port.

[msgreenf]

Seriously? It's terrible

Sent from my iPhone using Tapatalk

[ILoveC4]

I'll plug it back up. Thanks!

[ILoveC4]

To help me understand, can you explain why it's terrible? Allowing http commands from outside at port 8080 to hit my controller. It can only do anything if it includes a specific string, and even then I wouldn't have commands to do security things like open doors, locks, etc...

[msgreenf]

Port 8080 is what all the script kiddies and scanners check for open ports. You have no authentication on the port. So anyone can send any command in.

I agree risk is minimized by not doing door and alarm stuff but still. Not something I would trust

Sent from my iPhone using Tapatalk

[rosenqui]

Leaving any port that exposes an insecure service is asking for trouble. Opening a common port like 80, 8000, or 8080 is like leaving your front door wide open and then putting a sign on your lawn inviting thieves in.

 

Using a port number in the 50000-65535 range will be marginally better but just delays in inevitable. Bots from around the world are constantly scanning the ports of any IP exposed to the internet, so open ports will be found. All you can do is make sure that the ports you open only expose secure services like SSH (with name & password authentication disabled) or a VPN with strong authentication.

 

Surf around http://www.shodanhq.com/ a bit and you'll be amazed at what that one public search engine finds. Expand that by an order of magnitude for what hackers will find.

[ILoveC4]

Thanks. I closed it off. I do have a VPN, I just want to automate the sending of commands from my phone while away from the house. I guess I'll go back to my original plan of doing it via email. It works, but not instantly like the web events do.

[zaphod]

Webevents question - how long do I have to wait before sending multiple events to C4 using the WebEvents driver?

Let's say I hit http://myserver:8080/command1 that does action A on C4 and then http://myserver:8080/command2 that does action B on C4.  Should I be waiting a certain amount of time between sending the two commands?  How long?  Or does this depend on the speed of my controller (an HC-800) and how busy it is at the time.

[RyanE]

Unfortunately, it's been sooooo long since that driver was written, I don't know the answer to the question.

It should probably be completely rewritten, using the latest DriverWorks server socket functionality.

Sorry.

RyanE

 

[zaphod]

Thanks Ryan, either this should be rewritten or other similar drivers return that would take more info or in a more updated fashion.  It would be nice to be able to pass in more info rather than just a command - perhaps a command plus some arguments.

There are a few things around that allow C4 to interface with the outside world - IFTTT Maker driver (which should really be renamed to the IFTTT Webhooks driver since IFTTT has renamed Maker to Webhooks), and a recent Webhooks driver.  It would also be nice to have integration with MQTT.

It would be nice if there was a full REST API but there is the (undocumented) SOAP interface.

[Stealth22]

@zaphod I think the closest thing that comes to it would be this: http://www.houselogix.com/shop/control4-http-web-api

I haven't tried it though...looking into what the cost of that driver would be.

[lukas.polivka]

https://github.com/itsfrosty/control4-2way-web-driver

[zaphod]

Thank you Lukas, that looks useful

[dhendriksen]

https://github.com/itsfrosty/control4-2way-web-driver

How do you tell Siri what command to send when you say “is my garage closed?”, and how do you parse out the response? Does this require HomeKit? I’m trying to figure out how to leverage Shortcuts to get some Siri interaction with the house...


Sent from my iPhone using Tapatalk