Security (or lack thereof...)

Trying to access the Homey using SSL makes for a NASTY surprise…

# nmap 192.168.11.21 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-20 08:40 CEST
Nmap scan report for homey-61d5XXXXXcbb2e.XXXXXXX (192.168.XXX.XXX)
Host is up (0.015s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
MAC Address: 90:E8:68:XX:XX:XX (AzureWave Technology)

Ah HTTPS:

# curl -v https://192.168.XX.XX
*   Trying 192.168.XX.XX:443...
* Connected to 192.168.XX.XX (192.168.XX.XX) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

SSLv3 … that has been thrown in the trashbin several years ago (anyone remember Heartbleed?).
TLSv1.3 is the actual minimal level for SSL, TLSv1.2 has been on the backburner for over a year due to the same weakness as Heartbleed. Allas not all devices can use TLSv1.3 yet, so TLSv1.2 is still allowed when there is nothing else.

Why bother bro, you don’t want Homey. Quote:

1 Like

This was one of the contributing factors of that.
Look at the timing of the posts… This was just before the other. When i still bothered…

For someone who doesn’t bother you sure took a lot of effort by signing up and post this…
You should have just turned away, it would have saved you energy and negative vibes.

1 Like

Well this is a serious inconvenience

So it is since the introduction of Homey… If you just found out now it can’t have been that high on your list…