Hi, I’m in the search for a smart home system that’s not only intuitive/easy to use, but also secure, privacy friendly and actively developed.
And it seems Nymea is ticking a lot of those boxes , especially when used locally. But for ease of use it is very alluring to turn on the remote connection. I can however not find any documentation on privacy and security of the remote connection.
So I have some questions:
The only thing I read was this post in the forums recommending a strong password, which is a nobrainer. However: are there any other actions taken on your end, or is there anything more that I can do? (I considered changing all servers in system settings to SSL and login required, but wasn’t sure if I would break something)
I believe the remote connection is encrypted and established over a proxy server (am I right?). The most insecure moments then are checking out of nymea:app, checking in and out of the remote server and checking in to nymea:core, vice versa. How are these insecure moments secured?
In terms of privacy (GDPR): where is the proxy server located?
In terms of continuity of active development: who is paying for this server (or any other services, like you answering my questions)?
As you said, the most important thing is to pick a good password. In order to counter brute forcing the password, nymea core will lock down all incoming connections for a few seconds on a wrong authentication request or invalid tokens (basically on any anomaly it detects in the protocol).
Currently, the core and app connect via an ssl encrypted connection to the proxy server. The connection is verified by a SSL certificate of nymea.io. All the remote proxy does is to forward traffic between app and core without doing anything with that data. It’s not looking at the payload at all, nor stores any user/account info, nothing.
We sure want to add an end to end encryption from app to core but haven’t had the resources to do that so far. That’s a frequently discussed topic though and hopefully we’ll get to that soon. Once that’s in place we’d also like to add features like client pinning to enhance security even more.
In case you don’t trust us that server, you can host your own instance of the remote proxy code hosted on github and completely bypass anything hosted by nymea. The core and the app can both be configured to use another proxy URL. If you also don’t trust our code for that server, another option you have is to forward a port in your router and manually add a connection to your home IP in one way or another (dyndns etc). Some people also run their own VPN and use that instead of the nymea remote connection.
Currently nymea hosts only a single server (located in Germany) and is paying for that. Given the server doesn’t do anything with the data, it’s relatively easy on the resources of the server. If the community grows to a point where that single server can’t handle the load any more, we’ll probably either ask people to host their own instance instead or maybe host additional servers for a small fee or perhaps see how far we’ll get with a donation system. We’ll decide when we get there.
Same goes for answering questions here. That’s pretty much something we do in our spare time to help growing the community and with that the project. So, if you like the project, we’d appreciate any help, be it helping answering questions here, spreading the word about nymea, contributing translations, beta testing or contributing code, or since you ask, donating some bucks to help us running that proxy server
Thanks for your answers. Looks like pretty secure for now, and even more secure in the future
I looked into helping with translations, but the link to translate.nymea.io offered on the contribution page is not working. Is this still the preferred way, or do I need to post pull requests on Github?
As for the donations: it makes sense to offer this as one of the ways to help out. Especially for users that aren’t helping in another way and/or don’t belong to the early adopters. “How can I help?” could be part of the getting started tutorial, I guess. You do however need a “buy me a coffee”-link or a Patreon or something like that
yeah, indeed… In an attempt to minimize server costs we had moved the server that hosted translations.nymea.io and haven’t had the time to set it up again. Also we weren’t overly happy with the solution we had (weblate) and it would be about time to evaluate again which translation system would make sense the most. For the time being, we’re using Qt Linguist and translate the .ts files in the repositories. I for one find that much better than any web based solution anyways, but it comes with the burden of having to install an application on the computer… If you, by any chance have some experience and motivation to help getting a translation system up and running again, we’re totally open for suggestions.
Hmm… I did think we’ve got some donations link somewhere, but seems that got lost in the last cleanup too
As you can see, we’re really focusing on the code itself and try to make that the best… This in turn causes us to do quite bad on the stuff around, like social media advertising, the website etc etc… We’d hope to eventually get the community to help us more with all of that…
I did a quick look into Qt linguist (mainly a YouTube video) and it seems to work quite well and is on Windows. The only question is: how easy is it to get it to work with the repository. Most translation solutions are more of a hassle than the average translator is prepared for. So ease of use is again the loophole.
Well, once installed, it’s really just about opening the according .ts files in the repositories with it. And then filing a pull request on github… If you ask me, I’d say it’s easy, but I can totally see how someone would struggle with git to a point of not being able to file a pull request… So I get that this is not ideal and preferably we’d find a solution that allows to just open a website, type in translations and click a save button… Well, maybe the .ts file + Qt Linguist option would work if it’d be documented better step by step… (fwiw, the nymea website documentation is hosted on GitHub - nymea/nymea-docs: Developer documentation + Tools for building the overal online documentation from different projects. and can be edited by the community too)
That said, any translation tool, be it a local application or a web based solution, that supports .ts files would work, doesn’t have to be Qt Linguist.