Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Phone/WebRIVA Login/Security Alternatives?
#1
Are there any alternatives to logging in to WebRIVA on a phone other than passing the login credentials in the query string? I have a static IP and an SSL certificate is not an option. 

But honestly, the threats are extremely limited, IMHO.

Someone would have to know my static IP, know that I use CQC, etc., and all of the reasons not to use the query string to pass sensitive info really do not apply:

  • saved in browser history - not applicable
  • saved in server logs - not applicable
  • inadvertent posting of the entire the link - not applicable
  • exposed in the "referrer" header - not applicable
  • available to browser extensions - not applicable

I thought about an intermediary IV where I would then use that to log in. I set up a user, Login, which only has access to a login IV template and would show the user a login page (http://STATIC_IP/CQSL/WebRIVA/index.html?user=Login&pw=page). I would then log in with another user and a pin code (eg, 93827) versus a password which would then show me another set of templates.

But this approach would require me to enter the pin code each and every time unless there was a way set something to say "remember me"
Reply
#2
Why is SSL not an option? You can use a dynamic DNS service, even if your address isn't dynamic. That'll give you a DNS name to get a cert for.
Dean Roddey
Explorans limites defectum
Reply
#3
You cannot get a cert for an IP Address and I do not want a domain name pointing at my static IP.
Reply
#4
(01-13-2020, 02:44 PM)gReatAutomation Wrote: You cannot get a cert for an IP Address and I do not want a domain name pointing at my static IP.
Why not use a VPN?
Reply
#5
Not having a domain name pointing at your IP doesn't really gain you anything that I can see. It's not like it's hiding you away. Hackers probably don't bother much with DNS names anyway, they can just do automated address scans looking for vulnerabilities at every address. So you'll already be getting probed regularly if you have any ports open.
Dean Roddey
Explorans limites defectum
Reply
#6
Let me ask the original question again: Are there any alternatives to logging in to WebRIVA on a phone other than passing the login credentials in the query string? I thought about an intermediary IV where I would then use that to log in. I set up a user, Login, which only has access to a login IV template and would show the user a login page (http://STATIC_IP/CQSL/WebRIVA/index.html?user=Login&pw=page). I would then log in with another user and a pin code (eg, 93827) versus a password which would then show me another set of templates.
Reply
#7
You can of course do that. Limited CQC user accounts cannot access anything but the template they are configured for. So, even if they got the CQC level user name/password, they could only access that template. Of course the conversation back to the server would not be secure, and if you wanted to go conspiracy theory someone could see where the buttons are on the screen and watch the click messages being sent back to the server to know what you entered. But that would require a pretty personalized attack on you, not some random hit and run attack.
Dean Roddey
Explorans limites defectum
Reply
#8
(01-13-2020, 05:56 PM)Dean Roddey Wrote: You can of course do that. Limited CQC user accounts cannot access anything but the template they are configured for. So, even if they got the CQC level user name/password, they could only access that template. Of course the conversation back to the server would not be secure, and if you wanted to go conspiracy theory someone could see where the buttons are on the screen and watch the click messages being sent back to the server to know what you entered. But that would require a pretty personalized attack on you, not some random hit and run attack.

I can create the login page (pin code) just fine. How the heck do you send the value to CQC to/open another template with the login information entered by the user?

I cannot seem to use EntryFld.SendValue to open a new template.
Reply
#9
You just call the IntfViewer::LoadTemplate() command. That will reload the new template within whatever the command is invoked within (main template or overlay.) Oh, are you asking how to invoke LoadTemplate()? In that case, just do on the Enter key on your login template. Get the value from the entry field that you are using for the *** type display, and if you are happy with it, just call LoadTemplate().
Dean Roddey
Explorans limites defectum
Reply
#10
Let me make sure I am explaining this.

For this test, I have Login and Main templates. I have two users "LoginUser" that only has access to the Login template and "MainUser" that only has access to the Main template. The Login template is a simple username and pin code entry.

When I open the Login template via WebRIVA I need to be able to enter the username ("MainUser") and the correct pin code so that I can load the Main template. If I do not enter the correct username or pin code then the Main template will not load.

I have to be able to pass the login info.

There is no LoadTemplate only LoadNewTemplate and no parameters are available. I cannot use EntryFld.SendValue because the value is not being sent anywhere.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  WebRiva add to home screen fix NishanF 2 612 11-16-2020, 08:54 AM
Last Post: sic0048
  WebRiva will not render graphics fze9002 16 1,291 09-06-2020, 02:59 PM
Last Post: Dean Roddey
  With webriva, anyway to get an embedded browser window? ghurty 1 514 04-26-2020, 04:43 PM
Last Post: Dean Roddey
  WebRIVA on iOS dlmorgan999 14 2,137 04-26-2020, 04:08 PM
Last Post: dlmorgan999
  Check Box widget on WebRIVA vs Interface Viewer bryanb 1 572 04-23-2020, 06:15 AM
Last Post: bryanb
  CQC WebRIVA and BlueIris in a secure environment bryanb 2 607 03-23-2020, 03:24 AM
Last Post: bryanb
  WebRIVA Splash Screen gReatAutomation 4 1,038 03-02-2020, 05:15 PM
Last Post: gReatAutomation
  Changing WebRIVA Splash Image? gReatAutomation 4 1,195 01-07-2020, 05:28 PM
Last Post: gReatAutomation
  Z-Wave include fails with security simplextech 15 2,690 01-04-2020, 06:18 PM
Last Post: simplextech
  IOS Homescreen Webriva fails to connect zra 5 1,790 10-05-2019, 12:26 PM
Last Post: zra

Forum Jump:


Users browsing this thread: 1 Guest(s)