WARNING: Insecure communicaton between portal & browser

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

skiz77
Posts: 4
Joined: Thu Jun 25, 2015 8:05 am

WARNING: Insecure communicaton between portal & browser

Postby skiz77 » Wed Jul 15, 2015 12:50 pm

Go here for more information:
https://ssllabs.com/ssltest/analyze.htm ... yez-on.com

True, a score of C isn't the worst possible score, but some of the offenses are a bit disconcerting for a security company who claims to use AES-128. Truth is, that's just between the Envisalink & the service, not the service & your browser. The weakest link is...

I have made the company aware of this, but they claim it is outside of their control, that they don't run the website. Actually, that is a little scary in and of itself, since this is how many of us communicate with our alarms -- that they don't even want to support their own website and they outsource it to someone who may or may not be trustworthy.

Hopefully this will be corrected before it becomes a wider issue.

eyz1507
Posts: 2
Joined: Thu Jul 30, 2015 8:43 pm

Re: WARNING: Insecure communicaton between portal & browser

Postby eyz1507 » Thu Jul 30, 2015 8:49 pm

In fact, the SSL certificate for eyez-on.com is not valid at all. First, it is expired. Second, it would only be valid for www.securetrak.ca, if it were not expired.

This does not inspire confidence in a company that sells security products.

eyz1507
Posts: 2
Joined: Thu Jul 30, 2015 8:43 pm

Re: WARNING: Insecure communicaton between portal & browser

Postby eyz1507 » Thu Jul 30, 2015 9:35 pm

Apologies; my previous comments apply only to forum.eyez-on.com, not to www.eyez-on.com. That's not quite as worrisome, though the OP's points are still valid. It would definitely reflect well on EyezOn to fix these issues.

mark03
Posts: 1
Joined: Mon Sep 21, 2015 2:23 pm

Re: WARNING: Insecure communicaton between portal & browser

Postby mark03 » Mon Sep 21, 2015 2:46 pm

Bump (and a new user chiming in).

I just activated my EVL-3 yesterday and immediately noticed the warning in my mobile browser (Chrome on Android). I'm impressed with the service thus far, but Eyez-On should really lean on their web provider to fix this. If nothing else, it looks really bad.

Ian_81
Posts: 6
Joined: Wed Sep 30, 2015 2:53 pm

Re: WARNING: Insecure communicaton between portal & browser

Postby Ian_81 » Thu Oct 01, 2015 12:53 pm

Bump (and a new user chiming in).

Might be better optics if Eyez-on handled their own SSL, and went with HTTPS for everything (www, forum, etc).

The mobile link is concerning as Chrome on Android warns of weak/obsolete SHA-1 signatures & ciphers, plus uses the old TLS1.0.

skiz77
Posts: 4
Joined: Thu Jun 25, 2015 8:05 am

Re: WARNING: Insecure communicaton between portal & browser

Postby skiz77 » Fri Jun 22, 2018 5:15 pm

Bumping again. I don't remember what the worst offenses were when I originally posted this, but here we are a few years later, and the site still gets a C rating.

Even more concerning perhaps is the version of Apache being run. 2.2.x was discontinued over a year ago. That said, they're not even running the latest 2.2.x branch. So a "security" website is running software from 2010. Ouch.

So I guess the question for the community is what can I use instead of their website? Is there a cloud API or cloud option that doesn't involve their insecure stack? Perhaps configuring my router to talk to another cloud service? Anything viable out there? I see a couple of apps in the store, but no idea how they accomplish their magic without a little reverse engineering...

mikep
Posts: 122
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: WARNING: Insecure communicaton between portal & browser

Postby mikep » Sat Jun 23, 2018 6:02 pm

You could run my app (DscServer, only works with DSC panels) as a local server on a dedicated low end android device (usually < $30 from bestbuy/walmart/target). It gives you access from any web browser using *your* google account via OAuth so it's very secure - there's no other servers/hosts/accounts involved. It'll work with an iPhone's web browser too but you can add the homebridge support if you want to use HomeKit/Siri.

skiz77
Posts: 4
Joined: Thu Jun 25, 2015 8:05 am

Re: WARNING: Insecure communicaton between portal & browser

Postby skiz77 » Mon Jun 25, 2018 7:49 am

Thanks Mike. I used to have a DSC, but I currently have a Vista 20p.

skiz77
Posts: 4
Joined: Thu Jun 25, 2015 8:05 am

Re: WARNING: Insecure communicaton between portal & browser

Postby skiz77 » Tue Jul 03, 2018 10:14 am

So I found two options. I'm not sure which route I'll end up sticking with, but I at least have the first one working:
1) Node.js proxy that allows EVL to communicate directly to SmartThings - and keep the statuses current; I have it working with a PC-based proxy service, in the process of trying to move it to RaspberryPi and see if I can't make it a little more reliable. It does have the benefit of local communication and the security of SmartThings (including Face Id which means I can do single push arming/disarming).
2) AlarmDecoder - looks like a really good option as well. They also sell a USB alternative to EVL. My alarm system is really close to my network switch, but if you're not nearby, this plus a RP3 looks like it could be a better route for some than EVL.


Return to “EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)”

Who is online

Users browsing this forum: No registered users and 6 guests