Blue Iris Web Server Type

[poieujh]

I was considering getting a SSL certificate.
I have searched the forum for an answer to the type of server Blue Iris uses (Apache, IIS or ??).
The company that I want to acquire SSL certificate from, asks this question.

Thanks,

 

[hmjgriffon]

I was considering getting a SSL certificate.
I have searched the forum for an answer to the type of server Blue Iris uses (Apache, IIS or ??).
The company that I want to acquire SSL certificate from, asks this question.

Thanks,

don't work that way, there is no HTTPS in blue iris itself, you can use stunnel and add a certificate to that.

 

[poieujh]

OK, thanks. I will have to read up on stunnel.

 

[nbstl68]

Is there a need or good reason for the average person to use stunnel and \ or certificates? I have looked at it and it seems a bit complicated for me.

I was planning to figure out the VPN thing after reading the VPN for noobs posts, but is stunnel an alternative option or am I misunderstanding the security \ purpose for using stunnel?

Right now I am temporarily using the BI Automatic UP&P port forward wizard setup to connect and view through the phone app, which as I understand it from reading here is like the worst \ least secure thing I can do, correct?

 

[Hound Dog 911]

I setup a port forward manually and turn up&p off.

 

[aristobrat]

Is there a need or good reason for the average person to use stunnel and \ or certificates? I have looked at it and it seems a bit complicated for me.

I think that if you're out of your house and using someone else's WiFi to connect back to your BI, it's technically possible for someone else on the same WiFi network to be able to capture the network packets and be able to see the video you're watching as well. stunnel will prevent that. Having stunnel setup with a properly-signed SSL certificate would stop the warnings you get when you use stunnel with a self-signed SSL certificate.

I was planning to figure out the VPN thing after reading the VPN for noobs posts, but is stunnel an alternative option or am I misunderstanding the security \ purpose for using stunnel?

With stunnel, you still have to forward a port to your BI box, so you can still have the potential issue where anyone on the Internet can be connecting to that port and trying to get into your BI box.

Right now I am temporarily using the BI Automatic UP&P port forward wizard setup to connect and view through the phone app, which as I understand it from reading here is like the worst \ least secure thing I can do, correct?

IMO, it'd be worse if you had port-forwarded to your cameras. No knowing if Dahua and Hik has fixed all of the backdoors and bugs that people exploit to gain access to the camera without having to know any of the usernames/passwords you setup. I trust that Ken from BI does a better job of keeping the web-server piece of BI patched and back-door free. Honestly, I'd guess that the majority of BI installs are setup how you are, and <knock on wood>, I haven't heard of any getting hacked. But not having any port-forwarding (because you're using a VPN) is safest.

 

[Hound Dog 911]

I think port forwarding is safer than up&p. At least from the way I read things.

 

[Frank Ecker]

Securing your http connection with https prevents anyone from snooping your current connection. It doesn't prevent anyone from making the same connection.

Using VPN along with proper network configuration basically walls off your home network so only authorized users can get into the network. It then secures your access to the entire network with SSL rather then just securing your single web connection.

Wow, re-reading this points out how hard it is for me to clearly explain the difference.

Https = goal is to prevent anyone from snooping on any connections to the server. It does NOT prevent anyone from accessing the server. Once set up, the day-to-day impact to the user is imperceptible.

VPN = goal is to allow only specified users to remotely access the home network and while doing this is also secures the connection from snooping. After setup, the impact to the user is that the user needs to open the VPN connection before accessing the server.

 

[Hound Dog 911]

I added the ip addresses we only use to the bi firewall like feature. At one point the log would show people that made it to the logon screen. Now I believe only our ip's are granting that logon screen because only our connections are showing up.

 

[Hound Dog 911]

That and I changed it so only admin is local and assigned names to users so someone would have to guess the user name and password.

 

[aristobrat]

I think port forwarding is safer than up&p. At least from the way I read things.

UPNP is just another way to setup port forwarding. It allows devices and applications to setup port forwarding on your router without you having to know how to do it.

IMO, UPNP can be dangerous because it allows the possibility for things on your network to forward ports that you may not be aware of.

That and I changed it so only admin is local and assigned names to users so someone would have to guess the user name and password.

Those are great best practices to follow, but remember that bugs (and back-door user accounts that weren't visible) in the web servers running on both Hikvision and Dahua cameras allowed people to gain access to those devices without having to guess user names or passwords.

So even if you're doing everything right, there can be some underlying issue in the software that can be exploited by others, simply by giving them access to it (via port forwarding). I still think that BI is probably way more secure than a Hik or Dahua device, but there's always a little bit of risk anytime you have anything directly accessible via the Internet.

 

[Hound Dog 911]

I had a tunnel setup but the netgear router I have only uses tap and ios doesn't support that. I do have an app for Android on my phone but I'd like my wife to have access also. In the end they are outside cameras. All of my cams have been upgraded to the latest firmwares.

 

[Hound Dog 911]

And I do agree about UPnP. I chose the safest method possible to give my wife access. I hate port forwarding but it was the only solution I have until ios gives us tap support. I do appreciate your input. Thanks.

 

[aristobrat]

In the end they are outside cameras. All of my cams have been upgraded to the latest firmwares.

I'm using port-forwarding as well!

Remember though, even though we only have one port forwarded to our BI computers, it's technically possible that with the right bug in the BI web server, someone on the Internet could crash BI in a way that gives them remote Command Prompt-like access to Windows on our BI computers. From there, they could use the built-in FTP client to pull down more of their bad tools to our BI computers, and from there they could try and hop to other devices on our networks (i.e. other computers), or just use our computers to go out to the Internet and do more bad stuff, knowing that the IP address would trace back to our BI computers <and not them>.

IMO, the likelihood of that happening with BI is hopefully next to zero, but I didn't want you to think that the worse case was that someone could see video from your outside cameras. Worse case is that they own the whole computer and use that a jump box to do more poopy stuff.

 

[Hound Dog 911]

Would our firewalls allow that on the BI computers or other computers?

 

[bp2008]

A lot of cameras have UPnP enabled by default, so it is absolutely critical to disable it at the router. Better still to prevent the cameras from reaching the internet at all, using access restriction / parental controls / whatever the router has to accomplish this.

I consider Blue Iris to be much safer to expose online than a camera, though I'm sure if a cybersecurity expert really wanted to they could find plenty of vulnerabilities to exploit. Stunnel won't help at all in that regard.

 

[Frank Ecker]

By the way, I don't think the thread title was ever answered... I think that BI uses some type of custom home grown web server that is neither nginx, Apache/Tomcat nor IIS.

 

[bp2008]

Quite right, I think it is definitely homegrown.