Author Topic: Session management & authentication  (Read 14968 times)

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Session management & authentication
« Reply #15 on: October 08, 2010, 06:41:38 am »
Hi umtauscher     


Happy to see that I am not the only guy to feel that there is a very big problem in the vera security principles concerning accounts/rights managment  and links with MVC servers.

In am affraied we can easily imagine a backdoor usage for the vera on our networks. !!!

This is unacceptable...

regards

Offline umtauscher

  • Full Member
  • ***
  • Posts: 223
  • Karma: +0/-0
Re: Session management & authentication
« Reply #16 on: October 08, 2010, 06:54:41 am »
Hi atlantis94fr,

I understand what you mean but what I am really NOT happy about, is how unprofessionally MCV works. The concept went from open and friendly to closed and suspicious.

At the moment I really doubt, that  MCV are really that naive about our concerns. I rather tend to the conclusion, that their real intent is to have backdoors into as many homes as they can get.

Cheers
Umtauscher

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Session management & authentication
« Reply #17 on: October 08, 2010, 07:06:11 am »
Hello,

I agree with you , I'll lock outgoing flows to internet in my Firewall vera dedicated DMZ as soon as I go back home tonight ...

Better to avoid any alien access to home security devices...

It will be my choice too, waiting for answers and/or security process managment modification/improvment from MCV...

Regards
« Last Edit: October 08, 2010, 07:16:16 am by atlantis94fr »

Offline JOD

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 1973
  • Karma: +4/-0
Re: Session management & authentication
« Reply #18 on: October 08, 2010, 09:52:07 am »
atlantis94fr, umtauscher,

Are you thinking some sort of conspiracy?

JOD.
I'm sorry, my responses are limited. You must ask the right questions.

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Session management & authentication
« Reply #19 on: October 08, 2010, 10:53:09 am »

Cannot say anything about it. but such a risk exists.

While I write my vera is perhaps (depending of what has been coded in it, indeed, but we don't know and this a part of the problem) full opened for the MCS people eyes....

The only way to secure it today is to cut the link with Internet.

However, the security options for vera/MCS servers seems not "state of the art" regarding security mecanism requested for professional IT systems.

Usage of such a device would be refused by IT security staff in any company which is concerned by those topics... Very often a solution is refused or seriously discussed by one of my customer because of unsecured solution concerning data flows managment.

My opinion is that from the point of view of Home automation Vera addresses very well the subject but not today  from a security point of vue...

That's all !!!

Offline JOD

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 1973
  • Karma: +4/-0
Re: Session management & authentication
« Reply #20 on: October 08, 2010, 11:21:15 am »
Interesting and I totally agree.

The thought of superfluous code being in the FW that would allow back door access has crossed my mind in the past, and the fact MCV has the serial number / MAC address of every Vera sold.

JOD.
I'm sorry, my responses are limited. You must ask the right questions.

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Session management & authentication
« Reply #21 on: November 04, 2010, 04:51:43 pm »
However very curious MCV does not even try to comment about suppositions concerning vera usage as a backdoor...

Offline Dano87

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Session management & authentication
« Reply #22 on: January 09, 2011, 10:55:35 am »
Earlier in this post, umtauscher say he was searching for an alternative to vera due to these concerns.  Any luck? 

I really don't understand MCV logic on this change.  They are now taking a larger liability risk by requiring all users to use their MOIS server security method vs. letting the user have a choice.  As someone said, the only 100% secure environment is to disconnect the internet connection and operate on a private LAN.  Vera2 (UI4) doesn not allow this.......it just doesn't make sense.......unless MCV's business plan is to take control of their install-base (like the others - Xanboo, Homesecure, etc.)....say it's not true.

This product has so much potential with an open architecture and community formn that has been developed.  Hopefully, MCV will put the decision back in the hands of the users where it belongs.  This will only make their product a bigger player in the marketplace.