I searched unsuccessfully to find how to add SSL/certificate access to deConz and Phoscon.
Is it currently possible to disable non SSL http and allow access to the UI only
with SSL and certificates ? Even better would be certificate-based authentication, instead of username and passwords.
One would surmise there is a reason for not using SSL , or is it a matter of filing a feature request on github ?
Thanks
You do not need SSL to access the deConz UI on your LAN.
If you have exposed deConz/Phoscon ports to the internet for remote access, you should never do that. SSL alone will not protect you against attacks even if you do enable it.
SSL is not a feature of deConz but an IP setting.
Correct, bad idea to expose anything to the public Internet.
SSL provides encryption and identification, even better is certificate-based auth, instead of username/password. Just one more small step in security.
Most other systems, it’s relatively trivial to configure at least SSL, and most support client certificate authentication. (nginx, apache,etc…et al)
The question is, in 2022 with IETF and many other organizations moving toward eliminating non-secure connections (HTTP) - wouldn’t it make sense for systems such as Phoscon/deconz to keep pace ?
SSL is not application based. Most web application can run with or without SSL. This is typically not configured in the App itself but on the web server where the app is hosted. SSL is terminated before traffic reaches the App. There’s absolutely no benefit what so ever to use SSL on a closed LAN behind a NAT router. (but there’s no disadvantage either).
Sorry to disagree…
but that sounds like a joke from the '90s - you don’t need encrypted connections, you don’t need data protection, and anyway - you don’t have anything to hide?!
From any application created by non-hobby developers, I expect it to be close to the current state of the art.
Websites have HTTPS and a login, passwords are encrypted.
Already forgotten the video where it was shown how in one fell swoop zigbee lamps were hacked because someone did not take security seriously.
BTW, I wish for the web interface https!
Just set up a reverse proxy and limit deconz to listen on localhost only. I don’t think there’s any need to add ssl to deconz itself.
Really? Is that the solution?
Then everyone can throw out the implemented modules for it and save themselves the work with it in the future. Someone will already build a proxy in front of it…
I think that is not successful.