Sam MachinDec 12, 2023
It’s only security if you actually think about the end user. Otherwise it’s just sparkling cryptography
Show threadDisDec 13, 2023
@sammachin

For #homeassistant, sparkling design beats security every time.

github.com/home-assistant/core/issues/105226
@homeassistant @frenck #insecurebydesign #security #privacy
New Login Page - Needs disable option or untrusted hosts category · Issue #105226 · home-assistant/core

The problem When HA sits behind a proxy or traffic is rewritten with NAT in some complex network topologies, the 'real' IP of the client/endpoint is not exposed to Home Assistant, but instead logge...

GitHub
Show threadslampDec 13, 2023
@dis @homeassistant @sammachin @frenck
The feature can be discussed here https://community.home-assistant.io/t/is-it-possible-to-disable-the-new-loginscreen/651496
Is it possible to disable the new loginscreen

since todays version there is a new loginscreen. Is it possible to disable this new look? (as I don’t want to display the users)

Home Assistant Community
Show threadDis
@slamp @homeassistant @sammachin @frenck
ok and where is the security incident discussed?

#insecurebydesign is still #insecure, as your own blog post said..
#homeassistant #security #cve
Dec 14, 2023 at 12:45amWeb
Show threadslampDec 14, 2023

@dis
What is the CVE number for this issue ?
It's not mandatory to upgrade to the last version. Usually I'm doing the upgrade when the first patch of a new version is released (a.b.1 version)

@homeassistant @sammachin @frenck

Show threadBHSPitMonkeyDec 14, 2023

@dis I agree it should be changed to allow more control or have safer defaults, but it's not exactly an "incident" when it only affects people who:

- read the release notes where this was discussed front and center
- decided to upgrade to 12.x willingly after reading the aforementioned
- have their instance facing the public internet
- haven't configured their proxy in a way that allows HA to distinguish traffic sources

Show threadDisDec 14, 2023

@BHSPitMonkey
You forgot anyone who "doesn't trust the entire private allocation space".
From the blog:

Of course, when logging in from outside your home network, we can’t do this as that would give away privacy-sensitive information about your system and who is in it. Even the announcement says it's an exposure.

Show threadBHSPitMonkeyDec 14, 2023
@dis Fair point, I just don't think "security incident" is the right way to describe a release you have to voluntarily upgrade to wherein the release notes clearly described the nature of the change. If your instance is doing something you don't like, then roll it back. I do think the maintainers should take a step back and rethink the feature.
Show threadDisDec 14, 2023
@BHSPitMonkey
That is a valid perspective, and I get it, but in my mind it became an incident when they forcibly declared, repeatedly and for a full week, that the design was pretty and therefor it was not flawed. If this isn't the incident that gets your particular installation in trouble, that is lucky for you, but there will be one. Their security approach is, at best, ego-driven.
I saw the new version, but I also saw that they pretended not to notice at least 8 different bugs and security reports and somehow lost 3 days between closing the public bug github.com/home-assistant/core/issues/105226 and when they claim the issue was first opened. (My security issue was filed on the 11th, and I was told it was intentional and to fuck off. And addressed by the name of someone else who opened the same issue because even cut and paste proved too hard..)

My recent longer-form take on Home Assistant security is at infosec.town/notes/9n4wb30so2knbtxw

#homeassistant @homeassistant @frenck #insecurebydesign
New Login Page - Needs disable option or untrusted hosts category · Issue #105226 · home-assistant/core

The problem When HA sits behind a proxy or traffic is rewritten with NAT in some complex network topologies, the 'real' IP of the client/endpoint is not exposed to Home Assistant, but instead logge...

GitHub
Show threadDanDankletonDec 15, 2023

@BHSPitMonkey There are people on the forums who had the "trusted" login screen displayed to the world. To my mind this is a security event if they realised they had an issue before anyone else saw it, and a security incident if a 3rd party saw it. The release notes say that this will happen for people connecting from your own network, but didn't say how that was detected.

I think they've made the right choice in disabling it.