Page 1 of 1

ZM SSL or not?

Posted: Tue Mar 31, 2020 5:55 pm
by mrd
Do people typically setup https on their ZM servers? Curious...

Re: ZM SSL or not?

Posted: Tue Mar 31, 2020 7:32 pm
by bbunge
Yes if you want to access Zoneminder from the internet side of your firewall/router.

Re: ZM SSL or not?

Posted: Tue Mar 31, 2020 8:57 pm
by johnydo
Hi,

I use my ZoneMinder system with SSL only.

Re: ZM SSL or not?

Posted: Wed Apr 01, 2020 12:35 am
by Bluemax
SSL is not necessary if you use it in your local network only. For everything else there is wireguard vpn.

Re: ZM SSL or not?

Posted: Thu Apr 02, 2020 10:57 pm
by pat2
If you use ZM in your LAN or access ZM from WAN through VPN you could maintain the http way.

If you access ZM from WAN without VPN (it's my case, I use ZM on my mobile mainly when I'm not at home), it's mandatory the https way. Currently I allow on my Apache server only TLS 1.3 and using HTTP/2 (http2 is more secure and faster).
Please find below the results I obtained with the security Qualys test (the best according to me to test https security). I canceled my DNS due to security reason.

You could install a self signed certificate (there are many how-to on the web) or you could install a free certificate by Let's Encrypt (that's my case since on my server there is also my public website I use a public certificate (not a self signed one), you could find many how-to too).

The security aspect you highlighted with your question is really important if there is a ZM usage directly in WAN: even if with the proper settings in ZM you could crypt pwd without https, the images are not crypted with an 'only' http connection.

Re: ZM SSL or not?

Posted: Thu Apr 02, 2020 11:11 pm
by iconnor
Right now it's up to you, but I would recommend it.

In future, We may actually enforce the use of at least a self-signed certificate.

Either I write code to support insecure websockets, or I require a certificate... since requiring a certificate is more secure.. I'm thinking of going that way.

Re: ZM SSL or not?

Posted: Thu Apr 02, 2020 11:31 pm
by Bluemax
Self-signed certificates are rejected by some browsers (Android/Chrome, Android/Bromite and probably all derivatives).

Publicly signed certificates are intermediate certificates that can be replaced (and used as MITM) seamlessly by any other cert of the master CA without your knowledge. You have to trust the whole "chain of trust" not just this one certificate. I prefer wireguard and http. Faster, more secure, easier to set up.

Several MB/s are pumped through MJPEG. That's a lot of data that has to be encrypted/decrypted. For low-power devices this could mean degraded quality of services (less streams) due to waste of resources. One simply doesn't need any encryption in a secure environment (local area network, enterprise networks, etc).

I'm strictly against removing http completely.

Re: ZM SSL or not?

Posted: Thu Apr 02, 2020 11:44 pm
by pat2
Best browser with ZM is Mozilla (no constraints with number of cameras and no add-on like combozola to be installed) and no issue at all with self-signed certificate.

Let's encrypt and the rest of the chain self signed is fully secure.

Fot the throughput topic: no issues with 8 cameras working and a little ARM board (odroid xu4).
Anyway Wireguard establish a VPN and crypts the flow.

Re: ZM SSL or not?

Posted: Fri Apr 03, 2020 5:12 pm
by asker
This is an interesting comment. I've switch from OpenVPN to Wireguard - the speed difference is amazing. However your comment caught my attention. Thoughts/Questions:

1. You are comparing HTTPS with HTTP+WG. My understanding in an https handshake, the initial setup is slower by a magnitude (due to agreements/etc.) but once setup, you don't need to do it again till the context remains.
2. On performance, a famous quote from Adam Langley (Google) said the CPU/performance overhead from SSL was minimal at their scale as well (source)
3. Valid point on the need to trust the full chain

So my interest was piqued for the following reasons:

a) Have you actually found HTTP+WG to be continuously faster than HTTPS?
b) Is there any benchmark you know of that compares the two modes above? Most I've read (including the benchmarks on WG's website compare VPN-VPN.

I hadn't thought of WG+HTTP for IoT devices, but I'd like to know the real performance and security improvements if you have any comparatives.

Bluemax wrote:
Thu Apr 02, 2020 11:31 pm
Self-signed certificates are rejected by some browsers (Android/Chrome, Android/Bromite and probably all derivatives).

Publicly signed certificates are intermediate certificates that can be replaced (and used as MITM) seamlessly by any other cert of the master CA without your knowledge. You have to trust the whole "chain of trust" not just this one certificate. I prefer wireguard and http. Faster, more secure, easier to set up.

Several MB/s are pumped through MJPEG. That's a lot of data that has to be encrypted/decrypted. For low-power devices this could mean degraded quality of services (less streams) due to waste of resources. One simply doesn't need any encryption in a secure environment (local area network, enterprise networks, etc).

I'm strictly against removing http completely.

Re: ZM SSL or not?

Posted: Sat Apr 04, 2020 7:32 pm
by Bluemax
asker wrote:
Fri Apr 03, 2020 5:12 pm
Have you actually found HTTP+WG to be continuously faster than HTTPS?
I've never benchmarked them and looks like no one else did so far either.