this post was submitted on 17 Feb 2024
64 points (97.1% liked)
Privacy
32173 readers
664 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Probably homelab/self-hosted communities, but you'll have to preface that you're focussing on the security aspect than the usability of the application/device. With that said, I'd like for the kind of community you mention to be big and have a lot of engagement but I think it's too niche even amongst niche communities like self-hosting.
With that said, the principles are largely the same. Netsec applies to everything that touches the network, FOSS or otherwise. If you're using Zigbee, you're going to have to read about RF and how to secure yourself (Zigbee uses symmetric encryption from what I've heard and I really don't like the idea). Funnily enough, when I had posed a question on RF privacy here I was ridiculed and downvoted, seemingly by a community that "cares" about privacy.
Yes, there's a lot of hypocrites here. Which is also another reason why you probably won't find much traction for the community you're thinking of. But I'll stop there.
Edit: I completely missed the HA, Node-red and OpenHAB communities, but you'll probably find them in other forums and not particularly active here other than Home Assistant
Your Https connections are also symmetric, so that's a silly thing to dislike.
The handshake and key exchange are asymmetric, and used to establish a symmetric session key.
ZigBee encryption is fine for the use case, because you're only adding devices you know are being added. You inherently trust that your physical ZigBee device is the device it claims to be.
There's potentially an opportunity to hijack the key exchange between devices at network join, but you'd have to approve the listening device to your network in the first place.
https://development.libelium.com/zigbee-networking-guide/security-and-data-encryption
Thank you for clarifying, and my apologies
No apology needed, one thing about security is that paranoia is good. One problem with security is that paranoia leads to assumptions and misinformation, rather than understanding.
Symmetric key encryption is much faster than asymmetric, and can use much larger keys with less compute penalty. So we use acPU intensive asymmetric TLS handshakes to safely exchange the keys, and then switch to the faster method for the data.
So when ZigBee use AES 128, you can be reasonably sure the data packets are safe. The next question to ask is "do they exchange their keys safely?"
Which in this case would be "no" if you just leave the ZigBee controller in pairing mode all the time. However, you only allow pairing when you want it, and only pair with devices you explicitly allow. Unauthorized devices never get your network key.
Could you tell me more about how secure the key exchange is?
Check the link I posted above, or you can look at the 802.15.4 wiki for an overview.
https://en.m.wikipedia.org/wiki/IEEE_802.15.4, scroll to the security section.
Thanks