search

mdhiggins / ESP8266-HTTP-IR-Blaster

ESP8266 Compatible IR Blaster that accepts HTTP commands for use with services like Amazon Echo
MIT License
968 stars 217 forks source link

VERY Insecure #328

Closed bwosborne2 closed 2 years ago

bwosborne2 commented 2 years ago

This needs to be secured, at a minimum, with https SSL encryption before exposing directly to the Internet

It might be better to route this through a secure, Internet hardened reverse proxy such as an nginx server

rocket357 commented 2 years ago

Edit - lol oops, wrong link. Here's the right one:

https://github.com/mdhiggins/ESP8266-HTTP-IR-Blaster#security

bwosborne2 commented 2 years ago

That should be listed earlier, in the primary instructions. Many users looking for a solution will not drill down that deep.

I just corrected somebody on a forum looking to expose 50 televisions to the Internet using this .

rocket357 commented 2 years ago

An alternative would be to document using it with Google Assistant (via Home Assistant) which does not require exposing the IRBlasters to the internet.

TheMCMan commented 2 years ago

Mine is secured by Raspberry Pi proxy. But this is a project add-on. Mine also works with Google assistant.

On Tue, Jan 18, 2022, 07:19 bwosborne2 @.***> wrote:

This needs to be secured, at a minimum, with https SSL encryption before exposing directly to the Internet

It might be better to route this through a secure, Internet hardened reversy proxy such as an nginx server

— Reply to this email directly, view it on GitHub https://github.com/mdhiggins/ESP8266-HTTP-IR-Blaster/issues/328, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANE5Z7HGQVBNRQ55E3BW77TUWWAJFANCNFSM5MHOM6UQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

bwosborne2 commented 2 years ago

Google Assistant (via Home Assistant)

You have HA parsing the http string? The user I corrected was on the HA forum.

Apparently the developer wants to support Alexa though.

rocket357 commented 2 years ago

You have HA parsing the http string? The user I corrected was on the HA forum.

My use case, arguably, is a simple one. I have a few IRBlasters attached to lights (just on/off), so the sequences are pretty simple.

The TL;DR is to configure Home Assistant to have a switch with an automation attached to toggle it back and forth, then call that from a fullfillment URL in the Google Assistant Add-On. There will need to be something like this for the automation to call:

rest_command:
  master_led_off:
    url: "http://10.120.128.1:8080/msg?code=F7C03F:NEC:32&address=0xef00"
    method: put
  master_led_on:
    url: "http://10.120.128.1:8080/msg?code=F740BF:NEC:32&address=0xef00"
    method: put
mdhiggins commented 2 years ago

Security limitations are discussed at length in the readme and there are security options in place within the limits of the hardware. The MQTT beach also offers an additional solution without opening the port for those that wish to provide their own MQTT server. Reverse proxies or using an intermediate such as HA are also options.