Home Assistant, Not Secure

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Home Assistant, Not Secure

peejayw

1841 posts

Uber Geek

#306075 26-Jun-2023 09:30

As long as I can remember, whenever I access my HA Chrome shows that it is not secure.
I have never worried about it too much as I am only accessing it over my local network.

Recently I decided to set up a spare tablet as a control screen using an app called Fully Kiosk Browser. The problem I have encountered is when I enter the url for Kiosk to open it reverts to https://192.xxx.xx.xx etc

and then spits out an error message saying th page couldnt be loaded because of net::ERR_SSL_PROTOCOL_ERROR

If I use my Nabu Casa address it works fine.

Can anyone explain how to make my HA instance secure so I can use the local network address?

Thanks.

I'm supposed to respect my elders, but it's getting harder and harder for me to find one now.

Chippo

129 posts

Master Geek

Trusted

#3094946 26-Jun-2023 09:33

The simplest answer to this is already in your post - use your Nabu Kasa address.

To be "Secure" you must have a valid and signed SSL certificate - which must match the URL you're browsing to. You may choose to use Letsencrypt for this - but as LE certs only last for 90 days, that would require your Home Assistant to be publicly accessible over the internet - with automation to renew that certificate regularly.

The typical advice I give to solve this issue is a Nabu Kasa subscription - sounds like you've got that one sorted already.

Edit: To answer the protocol error, it sounds like it's redirecting to your "Internal" URL. My guess without any other info, is that the internal URL has an HTTPS URL, but your HA doesn't have HTTPS enabled.

I work for a global Data Protection Software company - But my opinions are my own.

peejayw

1841 posts

Uber Geek

#3094948 26-Jun-2023 09:36

Yes Nabu Casa is fine but there is a bit of a delay as it loads whereas the local address is instant hence why I was hoping to use that.

I'm supposed to respect my elders, but it's getting harder and harder for me to find one now.

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3094956 26-Jun-2023 09:46

One way to avoid that error locally is to use the http version of your site, e.g. http://192.168.xx.xx:8123

That assumes you trust your local network and that nobody is sniffing traffic to get your passwords.

peejayw

1841 posts

Uber Geek

#3094962 26-Jun-2023 09:55

when I use http:// etc Chrome still says unsecure, also, the Kiosk app defaults to a https:// and I cant see a way to change that.

I'm supposed to respect my elders, but it's getting harder and harder for me to find one now.

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3094964 26-Jun-2023 10:12

peejayw:

when I use http:// etc Chrome still says unsecure, also, the Kiosk app defaults to a https:// and I cant see a way to change that.

Do you mean the little "Not secure" warning next to the URL? Or is Chrome actually blocking you from logging in and using the site? I just tried accessing my HA locally in Chrome and I could only see a little "Not secure" warning next to the URL, which is technically true but can be ignored since we are intentionally accessing this way.

But if your kiosk app is forcing you to use https, then you're best to use your Nabu Casa address, unless you want to set up a certificate and domain name locally. For my home network, I run a Caddy reverse proxy in front of all my services, so I get proper https secure access both locally and remote. But one of the benefits of using Nabu Casa is so that you can avoid doing that. I guess it depends how much effort you want to go to...

To answer your original question - you can't use https and the local IP address without running into errors.

peejayw

1841 posts

Uber Geek

#3094965 26-Jun-2023 10:14

Thanks, its just the little triangle warning. Sounds like I should just stick with Nabu Casa and wear the slight delay. 😁

I'm supposed to respect my elders, but it's getting harder and harder for me to find one now.

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3094966 26-Jun-2023 10:21

BTW - I just tried Fully Kiosk Browser and had no issues navigating to the http version of my local site, i.e. http://192.168.xx.xx:8123

If you type the full http version of the address into the start URL box, it should work fine.

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

peejayw

1841 posts

Uber Geek

#3095023 26-Jun-2023 11:17

Just tried it again and it worked! Thanks.

I'm supposed to respect my elders, but it's getting harder and harder for me to find one now.

davidcole

6034 posts

Uber Geek

Trusted

#3095047 26-Jun-2023 12:40

or get a valid cert for the https local url. There are letsencrypt addons etc. But if you don't have a domain then it's not going to work anyway.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

spmiller

41 posts

Geek

Lifetime subscriber

#3095056 26-Jun-2023 13:06

You could always issue your own cert and add it into the tablet. It looks like the process changes depending on the Android version.

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#3095094 26-Jun-2023 15:11

peejayw:
As long as I can remember, whenever I access my HA Chrome shows that it is not secure.
I have never worried about it too much as I am only accessing it over my local network.

And that's the thing, it's perfectly secure, it's just that you're not making the appropriate TLS fashion statement that Google wants to see.

To fix this, either use something other than Chrome which views fashion differently, or use any TLS MITM proxy to make the required fashion statement - there's literally one called mitmproxy. Or otherwise just any HTTP proxy that supports TLS.

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#3095095 26-Jun-2023 15:15

spmiller:
You could always issue your own cert and add it into the tablet. It looks like the process changes depending on the Android version.

You'd be better off installing a CA certificate so you can issue certs for any of your other devices that you need. However Google is making that harder and harder over time (see "Chrome, fashion statement") so it'll depend on your Android version, you used to be able to do it by navigating down 20 levels of menus and scary warning dialogs but now I think you need to go into USB debug mode and inject them from the host PC (haven't done it for awhile).

spmiller

41 posts

Geek

Lifetime subscriber

#3095149 26-Jun-2023 17:17

neb: You'd be better off installing a CA certificate so you can issue certs for any of your other devices that you need. However Google is making that harder and harder over time (see "Chrome, fashion statement") so it'll depend on your Android version, you used to be able to do it by navigating down 20 levels of menus and scary warning dialogs but now I think you need to go into USB debug mode and inject them from the host PC (haven't done it for awhile).

Sure. It's frustrating that in the age of "HTTPS by default" local servers are being forgotten. The assumption seems to be that anybody doing it is an enterprise who can roll out certs to all their devices by themselves, which leaves small players and home users out in the cold.

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#3095159 26-Jun-2023 17:45

spmiller:
Sure. It's frustrating that in the age of "HTTPS by default" local servers are being forgotten.

Oh, they're not forgotten, it's been pointed out to browser security people numerous times, but the response has always been some variant of "lalalalala we're not listening lalalalala". Typically it's "get a cert from Let's Encrypt", and when you ask how you're supposed to do that for 19.168.1.17 on an non-public LAN they never respond.

Tinkerisk

4227 posts

Uber Geek

#3095704 28-Jun-2023 09:03

So the subject of this thread is just a click-bait? 😄

- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT: thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D: two 3D printers, 3D scanner, CNC router, laser cutter