[ale] Home Assistant / Docker / Network Security

[Alex Carver]

On 2018-07-24 10:22, Derek Atkins via Ale wrote:
> H,
> 
> On Tue, July 24, 2018 1:04 pm, DJ-Pfulio via Ale wrote:
>> Wouldn't a VPN be more secure? I know nothing about HomeAssist protocols.
>>
>> I use VPN (openvpn AES256) or an ssh-SOCKS proxy to access a LAN-only
>> Plex server.
> 
> Much harder to set up on my Android and iOS devices in order to monitor
> the house when I'm out.

OpenVPN on a phone is actually quite easy.  I use it all the time on my
Android.  Download the client from the store, generate your system keys
& certs, generate keys and certs for  each client, then create an
all-in-one .ovpn file (contains config, keys, certs, etc. in one block)
that the client reads in when creating a new connection.

> 
>> Patching?  Is that not done, like how Asterisk is generally deployed
>> commercially?
> 
> Patching requires code updates that solve the problem... Which requires
> developers who acknowledge there is a problem and then fix it.
> 
> Based on the (10-page) thread I read, there does seem to be a problem, but
> it's unclear if it's based on SAMBA, a combination of proxy, trust, and
> x-forward-for, or some other bug.  There certainly isn't a "Best Practice"
> that I can find.
> 
> I suspect securing the docker instance would be much harder than securing
> a base OS running HA natively.   On the other hand, upgrading the native
> HA is probably harder as it's not as simple as clicking a button and
> loading the new docker image.  (I honestly have no clue how to update a
> "pip-installed" thing).


If you're worried about security then you'd have to trust the docker
image as well.  The same thing goes for Hass.io.  It seems that even
Hass.io is one more wrapper to worry about over the base Home Assistant
installation.