That is my question. While the traffic is encrypted, it doesnt require a certificate on the other end. So anyone scanning random ngrok addresses can find it and log in.
There are different types of certificates. Base https certs are used to encrypt but do NOT authenticate users to be anyone. You are correct that anyone who randomly connects will get an encrypted connection. When you talk about authenticating users with client specific certs, that is a whole new ball game that gets users into the weeds and details about encryption and certificate signing.
That is why if you don't think there is a risk of a third party snooping on your traffic and don't care about browser warnings that you are not using https then you wouldn't need to care.
If you want to ensure that users are who you think they are you have progressively more secure ways from a) the default user accounts in BI, b) a reverse proxy with user accounts and c) user certs.
oldguy wrote: ↑Sun Jun 07, 2020 7:48 pm
So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.
Can you save us some time and enlighten us on what you do to secure your system for remote viewing. Or is it just fully air-gaped?
Blue Iris 5.8.9.x | Server 2022 VM | Xeon E5-2660 v3 @ 2.60GHz - 16 Cores | 24GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
oldguy wrote: ↑Mon Jun 08, 2020 2:51 am
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.
1) The only reason I use ngrok is just to prevent someone from snooping my password over an unencrypted connection.
2) How would someone be able to exploit or access the cameras if they can only access or login to BI? Maybe I've misunderstood what you're asking. (??)
Blue Iris 5.x x64 | Windows 10 Pro x64 | 16GB RAM | i7-7700 3.6 GHz | 1TB HDD | 2TB RAID NAS | 9 Cameras | Almost Dual NIC | 2KVA UPS
oldguy wrote: ↑Sun Jun 07, 2020 7:48 pm
So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.
https encryption will not address password security in the least. It is just encrypting content over the line.
If you have any worries about bad actors accessing your system, there are a few options:
Keep all cameras inaccessible from the internet. Cameras are one of the MOST frequently hacked devices. Consider every single one of them a weak link.
BI on an updated Win10 system exposed to the internet is moderately secure. We really don't know which web server Ken uses embedded in the product but we hope it is decent.
Using either a VPN or Reverse Proxy is even better as they are peer reviewed and way more secure.
oldguy wrote: ↑Mon Jun 08, 2020 2:51 am
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.
1) The only reason I use ngrok is just to prevent someone from snooping my password over an unencrypted connection.
I think the credentials are secure even without https. Not an expert but it would at least be hashed in some basic way.
Thats a tricky one as good malware (is that a thing?) is designed to be stealthy and elusive. Without good insight into whats happening on your network, it's nearly impossible. Consumer/ISP grade modem router combos have limited logging if any, but they may have some. As we've seen on these forums, cameras using BI do not need to initiate ANY communication whatsoever (unless they are doing NTP for timestamps - in which case they may also need DNS). Ideally they shouldn't be permitted anything so there isn't a chance to dial home, but even if they're not permitted its valuable to see what they're trying to do. Prior to some firmware updates, some of mine were quite chatty in ways I certainly did not want, while still others to this day want to connect to 'the cloud' and I do not have the ability to turn it off. It's very common for admins to overlook some services because "they're harmless" but once you read about things like ICMP tunneling, no means NO.
For those bored or ultra paranoid, check out sites like shodan.io . Took me about 3 minutes to find a listing of >16,000 publicly available BI UI3 login pages... and yep, I confirmed access to a couple of them (didn't try logins). And remember this site is designed for the good guys.
Blue Iris 5.8.9.x | Server 2022 VM | Xeon E5-2660 v3 @ 2.60GHz - 16 Cores | 24GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
Matts1984 wrote: ↑Mon Jun 08, 2020 6:10 pm
For those bored or ultra paranoid, check out sites like shodan.io . Took me about 3 minutes to find a listing of >16,000 publicly available BI UI3 login pages... and yep, I confirmed access to a couple of them (didn't try logins). And remember this site is designed for the good guys.
Obviously I don't want people to be able to even see my BI login page, but frankly even if someone managed to find the right IP and port, they'd be up against a 25-character password and a 20-character user name. I suppose they could beat their heads against it trying out logins, but unless there's a flaw in the login code I don't see them gaining access.
I don't think BI has any kind of auto-banning for failed login attempts, but that would be a good addition to the app.
Blue Iris 5.x x64 | Windows 10 Pro x64 | 16GB RAM | i7-7700 3.6 GHz | 1TB HDD | 2TB RAID NAS | 9 Cameras | Almost Dual NIC | 2KVA UPS
But yeah, while no one wants to become part of a botnet and I'm hoping you don't have any cameras strategically placed near your showers, in the grand scheme of things we are low profile targets. Do your due diligence and you're fine.
Blue Iris 5.8.9.x | Server 2022 VM | Xeon E5-2660 v3 @ 2.60GHz - 16 Cores | 24GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
