Secure Communications

Most connections XTension makes, be they direct to other sites or services, or the incoming connections to the JSON server or the web interfaces can make use of an SSL certificate for secure communications. It’s very easy to create a “self signed” certificate to encrypt your incoming Web Remote.

XTension wraps all the calls to the various ssl tools into the simple “Certificate Manager” window that you’ll find under the Windows menu. From there you can enter your dyndns domain if you wish or leave it blank if you’re not using such a service and click “Generate Certificate”.

After doing that high quality encryption is now available to use for the incoming web clients or the JSON server or any other incoming connection.

The problem with a self signed certificate is that the browser or device that is connecting cannot verify the key with a third party to make sure that the server offering up the certificate is really the one it claims to be. The problem with a “real” certificate is that you can’t create one properly that points to a dynamic IP address or that is a sub domain from a full domain (ie mySuperSecureServer.no-ip.org) you’d need to do some work with the no-ip.org people and not register your subdomain yourself.

While it is possible to get a static IP from most internet providers so you can register a real domain name and therefore create a truly encrypted connection in a proper fashion, that adds considerably to the cost of setting up your web remote.

If you’re running a bank, or any site that keeps user information around at all, then using a properly managed certificate with 3rd party validation is absolutely vital. Doing so for a dynamic DNS hosted home control website is difficult to impossible depending on how much money you want to spend on it.

It’s still possible to run a perfectly secure site to your home that cannot be sniffed or man-in-the-middle attacked with a self signed certificate you just have to know what the various errors and scary sounding messages mean.

After creating a certificate and setting up your Web Remote page to use the certificate you should hit it from your browser locally. The first time you do this on your phone or on your regular laptop or desktop browser you will get a very scary warning saying that this site might be trying to capture your personal information! Wow… very scary. Fortunately it doesn’t mean the same thing for us as it would for a bank.

First of all, the connection is still completely encrypted and as safe as your bank with a self signed certificate as a regular certificate. The only thing the browser can’t do is to verify that the serial number or public key of the certificate is the one that is expected by looking it up with a third party validator.

This means that the computer cannot verify when you connect to a site with a certificate it’s never seen before that the certificate is really registered to the bank or not. This is how a “man in the middle” attack works. The bad guy links you through a slightly misspelled link or something you didn’t notice in a phishing email to connect to HIS machine and not your bank. He creates an SSL connection too so that you see the nice secure padlock icon in your browser. He then opens an SSL connection to the bank itself and forwards all your web traffic from the SSL connection he controls and can therefore read as plain text to the bank with it’s real certificate. All your signon and other information are readable by him and he can save that all off and log into your bank later with the saved info. This is obviously terrifying! That is why the browsers are so untrusting of a self-signed certificate.

The good news is that if you normally connect from your phone or your own laptop there is an easy solution to guarantee this is not happening to you. And if you need to be able to connect from other public machines there is an almost equally easy solution to make sure.

Once you setup your server at home, log in with your phone or laptop or desktop and click through all the horrible warnings and finally force it to visit the site. Once you do that the key is stored in your keychain and you won’t get the same warning any future time you re-connect.

That means that if someone does perform a man-in-the-middle attack on you you’ll get that warning message again! If you’re connecting from a public wifi network and some fake proxy server is trying to fake out your connection you WILL get the same error message on any machine from which you’ve previously OK’ed the self signed certificate on. Once you’ve OK’ed the certificate you will not get the error unless something bad is happening. If you get the error, stop, don’t connect as something odd is going on. If you don’t get the error then your phone or laptop has recognized the serial number or the key and it knows that the connection is definitely from the same machine that you OK’ed back when you set it up.

If you need to connect from a machine from which you haven’t already saved the certificate on then there is another step. From a new machine you will always get the error the first connection, so you need a way to see if the connection is really from your machine or a bad proxy server or other hack.

Luckily when you “view certificate” that first time you connect the serial number is obviously available in the window that pops up. Write down those 6 or 7 numbers and stick them on a card in your wallet. When you connect from any public machine you can verify that the serial number is the same as when you created the certificate. If not then don’t connect! If they are the same then you’ve become the third party to validate the certificate and you now know for certain that you’re connecting to your actual machine and nobody is performing a man-in-the-middle attack on you.

In the case of your bank you have no way to know the serial number of their certificate before you connect so you cannot verify it yourself. You have to have the third party do it for you. For your own certificate you can easily check that short serial number yourself if you need to, or rely on the keychain on your phone to do it for you and verify that the certificate is the same one that you already OK’ed previously.

XTension uses 1k sized keys and is as safe as the best security from a bank or other internet service even with a self-signed certificate as long as you know these few things. If connecting from a remote machine for the first time you must be your own 3rd party to validate the serial number.

Once you’re sure it’s actually your certificate that you’re connecting to, your connection is as secure as the best encryption for the web anywhere.