atrocity wrote: > > I'm probably an outlier in that I have several things running internally > using HTTP. It's interesting to me that NONE of them, including some > pretty hefty stuff like TrueNAS, are using HTTPS for their interfaces. > Are the people behind TrueNAS, piHole, LMS and whatever else I can't > remember at the moment simply *lazy* or are they reasonably certain that > they aren't creating a security risk? > The problem with HTTPS is that it requires a certificate that your browser needs to trust and therefore must contain a public key from whomever authorized/signed the certificate in use. Of course if the customer of a home appliance is willing to pay extra for that certificate that would be easy enough to achieve, but the tricky part is that certificates as a rule have an expiration date (which is how certificate authorizers make money and likely need to pay part of that to OS vendors for having them included as trusted CAs) and your browser may deny you access to your own appliance.
As Michael stated the security hazard isn't that big though in a home network because there will be nothing pointing from the outside to that specific device unless you specifically changed your firewall configuration to do so, in which case you are assumed to know what you are doing. Also for a hacker to be able to sniff any traffic between your browser and the device he must first have control over some machine inside your network and even then your switch will prevent him (or her! let's not forget that ladies can be crooks too) to see anything on the wired network. As a side note: malware typically does not phone home. If your machine has a direct connection to the internet the hacker's software will phone in for instructions (e.g. send spam, participate in a DDOS attack on server X, etc) but this phone in is in fact a cascaded method as well and you will never be able to tell whether your machine was the first to receive it and thus that the originating IP is in fact that of the hacker (or the free Wifi from Pizza Hut). ------------------------------------------------------------------------ gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115292 _______________________________________________ Squeezecenter mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/squeezecenter
