ZM SSL or not?

Forum for questions and support relating to the 1.34.x releases only.
Post Reply
mrd
Posts: 255
Joined: Wed Apr 26, 2006 12:39 am
Location: Boston USA

ZM SSL or not?

Post by mrd » Tue Mar 31, 2020 5:55 pm

Do people typically setup https on their ZM servers? Curious...
MRD

bbunge
Posts: 2667
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: ZM SSL or not?

Post by bbunge » Tue Mar 31, 2020 7:32 pm

Yes if you want to access Zoneminder from the internet side of your firewall/router.

johnydo
Posts: 7
Joined: Mon Mar 30, 2020 11:26 am

Re: ZM SSL or not?

Post by johnydo » Tue Mar 31, 2020 8:57 pm

Hi,

I use my ZoneMinder system with SSL only.
Hardware: Raspberry Pi 4 Model B 4GB Ram
Software: Ubuntu Server 18.04.4 LTS, ZoneMinder 1.34.7
Monitor-1: Vivotek FD9367-HV, 2MP, H.264 1920x1080 1080p 30FPS
Monitor-2: Vivotek FD8369A-V, 2MP, H.264 1920x1080 1080p 30FPS

User avatar
Bluemax
Posts: 68
Joined: Wed Jun 12, 2019 5:15 pm

Re: ZM SSL or not?

Post by Bluemax » Wed Apr 01, 2020 12:35 am

SSL is not necessary if you use it in your local network only. For everything else there is wireguard vpn.

pat2
Posts: 77
Joined: Fri Sep 16, 2016 6:35 pm

Re: ZM SSL or not?

Post by pat2 » Thu Apr 02, 2020 10:57 pm

If you use ZM in your LAN or access ZM from WAN through VPN you could maintain the http way.

If you access ZM from WAN without VPN (it's my case, I use ZM on my mobile mainly when I'm not at home), it's mandatory the https way. Currently I allow on my Apache server only TLS 1.3 and using HTTP/2 (http2 is more secure and faster).
Please find below the results I obtained with the security Qualys test (the best according to me to test https security). I canceled my DNS due to security reason.

You could install a self signed certificate (there are many how-to on the web) or you could install a free certificate by Let's Encrypt (that's my case since on my server there is also my public website I use a public certificate (not a self signed one), you could find many how-to too).

The security aspect you highlighted with your question is really important if there is a ZM usage directly in WAN: even if with the proper settings in ZM you could crypt pwd without https, the images are not crypted with an 'only' http connection.
Attachments
Cattura.JPG
Cattura.JPG (78.04 KiB) Viewed 358 times
Last edited by pat2 on Thu Apr 02, 2020 11:37 pm, edited 5 times in total.

User avatar
iconnor
Posts: 1189
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: ZM SSL or not?

Post by iconnor » Thu Apr 02, 2020 11:11 pm

Right now it's up to you, but I would recommend it.

In future, We may actually enforce the use of at least a self-signed certificate.

Either I write code to support insecure websockets, or I require a certificate... since requiring a certificate is more secure.. I'm thinking of going that way.

User avatar
Bluemax
Posts: 68
Joined: Wed Jun 12, 2019 5:15 pm

Re: ZM SSL or not?

Post by Bluemax » Thu Apr 02, 2020 11:31 pm

Self-signed certificates are rejected by some browsers (Android/Chrome, Android/Bromite and probably all derivatives).

Publicly signed certificates are intermediate certificates that can be replaced (and used as MITM) seamlessly by any other cert of the master CA without your knowledge. You have to trust the whole "chain of trust" not just this one certificate. I prefer wireguard and http. Faster, more secure, easier to set up.

Several MB/s are pumped through MJPEG. That's a lot of data that has to be encrypted/decrypted. For low-power devices this could mean degraded quality of services (less streams) due to waste of resources. One simply doesn't need any encryption in a secure environment (local area network, enterprise networks, etc).

I'm strictly against removing http completely.

pat2
Posts: 77
Joined: Fri Sep 16, 2016 6:35 pm

Re: ZM SSL or not?

Post by pat2 » Thu Apr 02, 2020 11:44 pm

Best browser with ZM is Mozilla (no constraints with number of cameras and no add-on like combozola to be installed) and no issue at all with self-signed certificate.

Let's encrypt and the rest of the chain self signed is fully secure.

Fot the throughput topic: no issues with 8 cameras working and a little ARM board (odroid xu4).
Anyway Wireguard establish a VPN and crypts the flow.

User avatar
asker
Posts: 1303
Joined: Sun Mar 01, 2015 12:12 pm

Re: ZM SSL or not?

Post by asker » Fri Apr 03, 2020 5:12 pm

This is an interesting comment. I've switch from OpenVPN to Wireguard - the speed difference is amazing. However your comment caught my attention. Thoughts/Questions:

1. You are comparing HTTPS with HTTP+WG. My understanding in an https handshake, the initial setup is slower by a magnitude (due to agreements/etc.) but once setup, you don't need to do it again till the context remains.
2. On performance, a famous quote from Adam Langley (Google) said the CPU/performance overhead from SSL was minimal at their scale as well (source)
3. Valid point on the need to trust the full chain

So my interest was piqued for the following reasons:

a) Have you actually found HTTP+WG to be continuously faster than HTTPS?
b) Is there any benchmark you know of that compares the two modes above? Most I've read (including the benchmarks on WG's website compare VPN-VPN.

I hadn't thought of WG+HTTP for IoT devices, but I'd like to know the real performance and security improvements if you have any comparatives.

Bluemax wrote:
Thu Apr 02, 2020 11:31 pm
Self-signed certificates are rejected by some browsers (Android/Chrome, Android/Bromite and probably all derivatives).

Publicly signed certificates are intermediate certificates that can be replaced (and used as MITM) seamlessly by any other cert of the master CA without your knowledge. You have to trust the whole "chain of trust" not just this one certificate. I prefer wireguard and http. Faster, more secure, easier to set up.

Several MB/s are pumped through MJPEG. That's a lot of data that has to be encrypted/decrypted. For low-power devices this could mean degraded quality of services (less streams) due to waste of resources. One simply doesn't need any encryption in a secure environment (local area network, enterprise networks, etc).

I'm strictly against removing http completely.
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

User avatar
Bluemax
Posts: 68
Joined: Wed Jun 12, 2019 5:15 pm

Re: ZM SSL or not?

Post by Bluemax » Sat Apr 04, 2020 7:32 pm

asker wrote:
Fri Apr 03, 2020 5:12 pm
Have you actually found HTTP+WG to be continuously faster than HTTPS?
I've never benchmarked them and looks like no one else did so far either.

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests