SmartThings, SHA and security


(Alex) #1

When https://graph.api.smartthings.com/ is visited in a browser, a warning message appears.

I’m not specialized in security, can someone explain what are the implications of the below messages?

Firefox:
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.

Chrome, Android
This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.

Chrome, desktop
This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.


(Keith Croshaw) #2

My chrome sessions just says their identity has been verified, but does not have public audit records.

Sounds legit for a newer smaller company… I think…


#3

It’s Google jumping the gun on a potential future security issue. Sites with SHA1 certificates are currently still safe, google’s just trying to push them into making longterm recommended upgrades.

Like others, I disagree with The way Google has chosen to handle this, because I think it’s basically training users to ignore security warnings.


(Alex) #4

Well, it’s firefox too, not just Google?

Which brings me to my next question: how do I get rid of this warming on Android when I run a web app in full screen “immersed” mode?


#5

Yeah, Firefox is following google’s lead in sunsetting SHA1 with a yellow warning.

Not sure if you can whitelist the site or not.

edited to add this has been controversial, but known for awhile:

https://groups.google.com/a/chromium.org/forum/m/#!topic/security-dev/2-R4XziFc7A


(Alex) #6

Now this message is “in your face” with no option to remove it. It’s an eye sore on SmartTiles, for example.


#7

Report it to support@smartthings.com. It’s their issue, really, and they can make the easiest fix by getting a new cert that expires 12/31/2015 (no error message will be displayed then) while they figure out how they want to handle it long term. That should be a free change from their cert provider.

@mager who at smartthings owns the developer portion of the website? Any user, including regular customers, smartapp developers, and journalists, who use chrome or Firefox are going to get a message that the smartthings IDE is not fully secure. Given the recent wink outage, this is not going to be a good idea.


(April Wong) #8

We’ve update the SSL certificate for graph.api.smartthings.com, and this warning should not appear anymore.


(Alex) #9

This is fantastic. Thanks for the quick turnaround!