ZM SSL or not?

Forum for questions and support relating to the 1.34.x releases only.
Post Reply
mrd
Posts: 269
Joined: Wed Apr 26, 2006 12:39 am
Location: Boston USA

ZM SSL or not?

Post by mrd »

Do people typically setup https on their ZM servers? Curious...
MRD
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: ZM SSL or not?

Post by bbunge »

Yes if you want to access Zoneminder from the internet side of your firewall/router.
johnydo
Posts: 7
Joined: Mon Mar 30, 2020 11:26 am

Re: ZM SSL or not?

Post by johnydo »

Hi,

I use my ZoneMinder system with SSL only.
Hardware: Raspberry Pi 4 Model B 4GB Ram
Software: Ubuntu Server 18.04.4 LTS, ZoneMinder 1.34.7
Monitor-1: Vivotek FD9367-HV, 2MP, H.264 1920x1080 1080p 30FPS
Monitor-2: Vivotek FD8369A-V, 2MP, H.264 1920x1080 1080p 30FPS
User avatar
Bluemax
Posts: 121
Joined: Wed Jun 12, 2019 5:15 pm

Re: ZM SSL or not?

Post by Bluemax »

SSL is not necessary if you use it in your local network only. For everything else there is wireguard vpn.
pat2
Posts: 156
Joined: Fri Sep 16, 2016 6:35 pm

Re: ZM SSL or not?

Post by pat2 »

If you use ZM in your LAN or access ZM from WAN through VPN you could maintain the http way.

If you access ZM from WAN without VPN (it's my case, I use ZM on my mobile mainly when I'm not at home), it's mandatory the https way. Currently I allow on my Apache server only TLS 1.3 and using HTTP/2 (http2 is more secure and faster).
Please find below the results I obtained with the security Qualys test (the best according to me to test https security). I canceled my DNS due to security reason.

You could install a self signed certificate (there are many how-to on the web) or you could install a free certificate by Let's Encrypt (that's my case since on my server there is also my public website I use a public certificate (not a self signed one), you could find many how-to too).

The security aspect you highlighted with your question is really important if there is a ZM usage directly in WAN: even if with the proper settings in ZM you could crypt pwd without https, the images are not crypted with an 'only' http connection.
Attachments
Cattura.JPG
Cattura.JPG (78.04 KiB) Viewed 3686 times
Last edited by pat2 on Thu Apr 02, 2020 11:37 pm, edited 5 times in total.
---------------------------------------------------------------------------
ZM 1.36.34 - 14 cameras on Orange Pi 5 (arm64) - Ubuntu Jammy 22.04
User avatar
iconnor
Posts: 2880
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: ZM SSL or not?

Post by iconnor »

Right now it's up to you, but I would recommend it.

In future, We may actually enforce the use of at least a self-signed certificate.

Either I write code to support insecure websockets, or I require a certificate... since requiring a certificate is more secure.. I'm thinking of going that way.
User avatar
Bluemax
Posts: 121
Joined: Wed Jun 12, 2019 5:15 pm

Re: ZM SSL or not?

Post by Bluemax »

Self-signed certificates are rejected by some browsers (Android/Chrome, Android/Bromite and probably all derivatives).

Publicly signed certificates are intermediate certificates that can be replaced (and used as MITM) seamlessly by any other cert of the master CA without your knowledge. You have to trust the whole "chain of trust" not just this one certificate. I prefer wireguard and http. Faster, more secure, easier to set up.

Several MB/s are pumped through MJPEG. That's a lot of data that has to be encrypted/decrypted. For low-power devices this could mean degraded quality of services (less streams) due to waste of resources. One simply doesn't need any encryption in a secure environment (local area network, enterprise networks, etc).

I'm strictly against removing http completely.
pat2
Posts: 156
Joined: Fri Sep 16, 2016 6:35 pm

Re: ZM SSL or not?

Post by pat2 »

Best browser with ZM is Mozilla (no constraints with number of cameras and no add-on like combozola to be installed) and no issue at all with self-signed certificate.

Let's encrypt and the rest of the chain self signed is fully secure.

Fot the throughput topic: no issues with 8 cameras working and a little ARM board (odroid xu4).
Anyway Wireguard establish a VPN and crypts the flow.
---------------------------------------------------------------------------
ZM 1.36.34 - 14 cameras on Orange Pi 5 (arm64) - Ubuntu Jammy 22.04
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: ZM SSL or not?

Post by asker »

This is an interesting comment. I've switch from OpenVPN to Wireguard - the speed difference is amazing. However your comment caught my attention. Thoughts/Questions:

1. You are comparing HTTPS with HTTP+WG. My understanding in an https handshake, the initial setup is slower by a magnitude (due to agreements/etc.) but once setup, you don't need to do it again till the context remains.
2. On performance, a famous quote from Adam Langley (Google) said the CPU/performance overhead from SSL was minimal at their scale as well (source)
3. Valid point on the need to trust the full chain

So my interest was piqued for the following reasons:

a) Have you actually found HTTP+WG to be continuously faster than HTTPS?
b) Is there any benchmark you know of that compares the two modes above? Most I've read (including the benchmarks on WG's website compare VPN-VPN.

I hadn't thought of WG+HTTP for IoT devices, but I'd like to know the real performance and security improvements if you have any comparatives.

Bluemax wrote: Thu Apr 02, 2020 11:31 pm Self-signed certificates are rejected by some browsers (Android/Chrome, Android/Bromite and probably all derivatives).

Publicly signed certificates are intermediate certificates that can be replaced (and used as MITM) seamlessly by any other cert of the master CA without your knowledge. You have to trust the whole "chain of trust" not just this one certificate. I prefer wireguard and http. Faster, more secure, easier to set up.

Several MB/s are pumped through MJPEG. That's a lot of data that has to be encrypted/decrypted. For low-power devices this could mean degraded quality of services (less streams) due to waste of resources. One simply doesn't need any encryption in a secure environment (local area network, enterprise networks, etc).

I'm strictly against removing http completely.
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
User avatar
Bluemax
Posts: 121
Joined: Wed Jun 12, 2019 5:15 pm

Re: ZM SSL or not?

Post by Bluemax »

asker wrote: Fri Apr 03, 2020 5:12 pm Have you actually found HTTP+WG to be continuously faster than HTTPS?
I've never benchmarked them and looks like no one else did so far either.
Post Reply