• The forum software that supports hummy.tv has been upgraded to XenForo 2.3!

    Please bear with us as we continue to tweak things, and feel free to post any questions, issues or suggestions in the upgrade thread.

Web Interface HTTPS Support

P

phit03

Member
I seem to remember that back in the early days of the customised firmware that I was able to use an HTTPS connection for access to the web interface.

I would like to access some of my boxes via the Internet using HTTPS but selecting Web Interface Settings
HTTPS web server? Yes
from settings no longer works. When you change the setting it seems to go away and do something in the background but rebooting doesn't seem to change anything.

Is this something that should work or could be re-introduced?

I have no knowledge of how an encrypted connection is implemented and I can't find any idiots guide to what's involved. What I have read talks of certificates, private and public keys, SSL/TLS all of which are foreign to me.

Anyone know if it's possible and what would be involved.
 
Update:
Writing the above has stirred my memory and it's starting to come back to me.
I have setup a port forwarding rule on my router to acess the HDRFOX-T2 and use port 443 for HTTPS.
I can now connect to the box using HTTPS but the browser (Firefox) comes up with a warning

Warning: Potential Security Risk Ahead​


Firefox detected a potential security threat and did not continue to MyBox.ddns.net. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

If I continue:
MyBox.ddns.net:2211 uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

If I accept the risk and continue, it sets up an exception and I continue and connect to the box.

I now get a padlock with an exclamation mark in the address bar and Firefox says:
You are not securely connected to this site
Web Site Identity
Website: MyBox.ddns.net
Owner: This web site does not supply ownership information.

Verified by: CN=HDRFOX3,ST=Humax,C=GB

Technical details
Connection Encrypted (TLS_AES_256_GCM_SHA384, 256 bit keys, TLS 1.3)
The page you are viewing was encrypted before being transmitted over the Internet.
Encryption makes it difficult foe unauthorised people to view information travelling between computers.
It is therefore unlikely that anyone read this page as it travelled across the network.

Does this mean that all traffic is now encrypted and is relatively safe compared to an HTTP connection?
 
Yes – Firefox is just baulking at the non-trusted key exchange. IMO HTTP wouldn't be particularly unsafe, it's not like you're communicating bank account details anyone could eavesdrop.
 
Thanks Black Hole. I thought the same regarding HTTP but I was a bit worried that there might be things in the unencrypted datastream that might be able to be used to gain access to the box to plant malicious software (unlikely given the architecture of the box, but who knows).
 
A bit of background may help.

Certificates are part of the encryption process. But in terms of trusting a web site's identity - eg that you are connected to your bank's genuine web site and not a look-alike set up by a criminal to capture your information - a small group of authorities are trusted by browsers etc to issue certificates. Essentially companies purchase certificates from them, effectively paying for the trust conferred by the authority who in turn is trusted to responsibly verify the purchaser. The whole system is based on trust and a handful of authorities are responsible for the majority of trusted certificates.

As a by-the-by, certificates expire and have to be renewed and it's not uncommon to occasionally visit a legit web-site to find it labelled as untrusted by your browser because the certificate has expired and the company has forgotten to renew it in time. (Oops!)

There's nothing stopping anyone generating their own certificates, and that's fine and the traffic will be encrypted - but of course Firefox etc does not know you from Adam - you are not on their list of trusted authorities! So it gives you a warning, the same as if you'd gone to the fake bank web-site that had generated their own certificate.

As BH says, the traffic to and from your Humax is not especially sensitive and it would not really matter if it weren't encrypted (ie HTTP rather than HTTPS) and some attacker decided to listen to the network traffic to and from your Humax (in itself incredibly unlikely!). It's only relatively recently that browsers have taken to enforcing the use of HTTPS by default, and that setting can still be turned off should you wish (but please don't).

This article explains more and has a Firefox section: https://www.thesslstore.com/blog/what-is-a-certificate-authority-list-and-where-can-i-find-one/. It's not something I've ever tried but if you go to the Firefox settings, as detailed in the article, you can almost certainly add your own certificate to Firefox's trusted list.

Hope that helps.
 
Wildebeest said:
It's only relatively recently that browsers have taken to enforcing the use of HTTPS by default, and that setting can still be turned off should you wish (but please don't).
Click to expand...
It irritates me that browsers do that. I realise it's the "safe" option for naive users, but it's also a pain that a simple informational website (such as the modern version of a brochure), with no sensitivity whatsoever, has to be HTTPSed just to keep a web browser from stopping the user viewing it.
 
If you want to access your Humax, or indeed your home network, while you are away from home securely, why not set up a VPN to your home network? Tailscale is a very common VPN and easy to setup.
 
VPN is much better than port forwarding.

It's not really about people snooping on your transactions with the HDR, it's about having a window open to your LAN. Port forwarding is an open window as it exposes the T2 to the Internet. When you connect over the internet, the router forwards the 443 connection direct to the T2 - it will do the same for anyone else.

Your router will be being scanned. Scanning looks for open ports and your router WILL respond on 443.
That might trigger further scanning to find out what device is behind port 443.
I'd suspect a 15 year old consumer grade device would be of interest.

Again, it's not about people seeing what programs you like to record - who cares - it's about using the T2 to find what else is there.
 
You must log in or register to reply here.
Back
Top