Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Phone/WebRIVA Login/Security Alternatives?
#1
Are there any alternatives to logging in to WebRIVA on a phone other than passing the login credentials in the query string? I have a static IP and an SSL certificate is not an option. 

But honestly, the threats are extremely limited, IMHO.

Someone would have to know my static IP, know that I use CQC, etc., and all of the reasons not to use the query string to pass sensitive info really do not apply:

  • saved in browser history - not applicable
  • saved in server logs - not applicable
  • inadvertent posting of the entire the link - not applicable
  • exposed in the "referrer" header - not applicable
  • available to browser extensions - not applicable

I thought about an intermediary IV where I would then use that to log in. I set up a user, Login, which only has access to a login IV template and would show the user a login page (http://STATIC_IP/CQSL/WebRIVA/index.html?user=Login&pw=page). I would then log in with another user and a pin code (eg, 93827) versus a password which would then show me another set of templates.

But this approach would require me to enter the pin code each and every time unless there was a way set something to say "remember me"
Reply
#2
Why is SSL not an option? You can use a dynamic DNS service, even if your address isn't dynamic. That'll give you a DNS name to get a cert for.
Dean Roddey
Explorans limites defectum
Reply
#3
You cannot get a cert for an IP Address and I do not want a domain name pointing at my static IP.
Reply
#4
(01-13-2020, 02:44 PM)gReatAutomation Wrote: You cannot get a cert for an IP Address and I do not want a domain name pointing at my static IP.
Why not use a VPN?
Reply
#5
Not having a domain name pointing at your IP doesn't really gain you anything that I can see. It's not like it's hiding you away. Hackers probably don't bother much with DNS names anyway, they can just do automated address scans looking for vulnerabilities at every address. So you'll already be getting probed regularly if you have any ports open.
Dean Roddey
Explorans limites defectum
Reply
#6
Let me ask the original question again: Are there any alternatives to logging in to WebRIVA on a phone other than passing the login credentials in the query string? I thought about an intermediary IV where I would then use that to log in. I set up a user, Login, which only has access to a login IV template and would show the user a login page (http://STATIC_IP/CQSL/WebRIVA/index.html?user=Login&pw=page). I would then log in with another user and a pin code (eg, 93827) versus a password which would then show me another set of templates.
Reply
#7
You can of course do that. Limited CQC user accounts cannot access anything but the template they are configured for. So, even if they got the CQC level user name/password, they could only access that template. Of course the conversation back to the server would not be secure, and if you wanted to go conspiracy theory someone could see where the buttons are on the screen and watch the click messages being sent back to the server to know what you entered. But that would require a pretty personalized attack on you, not some random hit and run attack.
Dean Roddey
Explorans limites defectum
Reply
#8
(01-13-2020, 05:56 PM)Dean Roddey Wrote: You can of course do that. Limited CQC user accounts cannot access anything but the template they are configured for. So, even if they got the CQC level user name/password, they could only access that template. Of course the conversation back to the server would not be secure, and if you wanted to go conspiracy theory someone could see where the buttons are on the screen and watch the click messages being sent back to the server to know what you entered. But that would require a pretty personalized attack on you, not some random hit and run attack.

I can create the login page (pin code) just fine. How the heck do you send the value to CQC to/open another template with the login information entered by the user?

I cannot seem to use EntryFld.SendValue to open a new template.
Reply
#9
You just call the IntfViewer::LoadTemplate() command. That will reload the new template within whatever the command is invoked within (main template or overlay.) Oh, are you asking how to invoke LoadTemplate()? In that case, just do on the Enter key on your login template. Get the value from the entry field that you are using for the *** type display, and if you are happy with it, just call LoadTemplate().
Dean Roddey
Explorans limites defectum
Reply
#10
Let me make sure I am explaining this.

For this test, I have Login and Main templates. I have two users "LoginUser" that only has access to the Login template and "MainUser" that only has access to the Main template. The Login template is a simple username and pin code entry.

When I open the Login template via WebRIVA I need to be able to enter the username ("MainUser") and the correct pin code so that I can load the Main template. If I do not enter the correct username or pin code then the Main template will not load.

I have to be able to pass the login info.

There is no LoadTemplate only LoadNewTemplate and no parameters are available. I cannot use EntryFld.SendValue because the value is not being sent anywhere.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Changing WebRIVA Splash Image? gReatAutomation 4 217 01-07-2020, 05:28 PM
Last Post: gReatAutomation
  Z-Wave include fails with security simplextech 15 665 01-04-2020, 06:18 PM
Last Post: simplextech
  IOS Homescreen Webriva fails to connect zra 5 616 10-05-2019, 12:26 PM
Last Post: zra
  WebRIVA and Cameras on iOS gReatAutomation 5 439 07-25-2019, 01:31 PM
Last Post: bryanb
  Slider issue on WebRiva NishanF 4 473 07-03-2019, 05:47 PM
Last Post: NishanF
  DIY Security System Integration cavalier240 10 1,750 01-10-2019, 09:05 PM
Last Post: Dean Roddey
  Security cameras kjaerligkatt 11 1,760 12-23-2018, 10:09 AM
Last Post: sic0048
  WebRIVA password special character issue? batwater 10 2,243 09-30-2018, 02:07 PM
Last Post: batwater
  Android and WebRIVA - working? batwater 9 2,079 09-30-2018, 01:44 PM
Last Post: Dean Roddey
  WebRiva and vpscale=? kblagron 1 936 08-28-2018, 08:12 AM
Last Post: Dean Roddey

Forum Jump:


Users browsing this thread: 1 Guest(s)