Heatermeter, SSL and Heartbleed


 
R

Rob Weber

New member
I know this has been discussed in a couple of other threads but I'd love to be able to review this again. Can the HM be set up securely from Heartbleed attacks and what the best way?
 
Rob Weber said:
I know this has been discussed in a couple of other threads but I'd love to be able to review this again. Can the HM be set up securely from Heartbleed attacks and what the best way?
Click to expand...

By default, the system only listens on port 80/HTTP, which is not a secure connection to begin with. That being said, unless you're out and about, using public wifi connections to remotely login and control your HM, the risk level is pretty much zero. Even -if- someone did manage to scoop your HM password, there's not a whole lot they're doing to be able to do. Just remember to be smart and not reuse passwords for things ie: don't set your HM password to the same password that you use for online banking!

Keep in mind that if you only every monitor your HM remotely and never actually log into it, then there's no risk of your username and password being captured.

I think you can setup HM to listen on 443/HTTPS, but I'm not sure that the current release of OpenWRT that it's using is patched for HeartBleed. Another alternative would be to use an SSL proxy elsewhere on your network, which would accept the HTTPS request from the public internet and then communicate over HTTP between the proxy and the HM.

Since I happen to have an always on RaspberryPi host at home, I'm using it as my SSL proxy running stunnel.
 
The latest beta firmware includes fixes for heartbleed. There are also individual packages on the build server if you only want to update just openssl.
 
You must log in or register to reply here.

 

Back
Top