Web app security


#1

Since farmbot must be operated via a web interface, shouldn’t we be discussing how secure it is? I’m not saying it’s a high priority hacking target, but we obviously want to make sure it stays under its builders’ control.


#2

Would installing everything needed to run a farmbot on a small form factor PC running as an Ubuntu server be the most secure/cost effective way to address this issue in the absence of any apparent interest in discussing this?


#3

Here’s what I posted in the “getting started” topic: Why are you collecting and storing sensitive data?


#4

Hi hadavis, I don´t know if that fits into this topic but:

As I understand at the moment, your local Raspberry PI is establishing a connection to the farmbot servers in order to save its configuration, the pictures you are taking etc. pp., right?
Then you need to log in via Internet to have access to your farmbot? Why that complicated and not data secure?
I would ask more questions about this topic if I understood correctly. Please let me know if I am right…

Cheers
Klim
edit: Sry I discovered the wiki about the software: https://cloud.githubusercontent.com/assets/12681652/19332443/e0345a90-90a0-11e6-85ce-0a9aa03a7ea9.png
What is the use of storing everything in the cloud?

I would really like to see that the user can decide wether he wants to save all information in the cloud (his own crop database, configs etc.) or host it locally on the rasp.

I really don’t like the philosophy that everyone is forced into the cloud. There is no use for it in this application from my standpoint. You can have access to the openfarm database by downloading it to your rasp, you can download the latest firmware from farmbot.io etc… There is no use to store everything on your servers, even more: You need to provide the storage and infrastructure costs, what for?
Only for the access to the farmbot from everywhere in the world? Why don’t you set the access point at the rasp? Comfortability concerns of the user to configure his/her home network?

Sorry that I am complaining so heavily about this philosophy and maybe I am wrong, but the whole “move it to the cloud philosophy” it’s free of cost is completely wrong and misunderstood by so many people, in my opinion!!!


#5

A couple of points:

  1. You can in fact host everything yourself on your own network. They provides some guidance and documentation for doing so – its fairly complicated to do, but doable.
  2. Almost every “new” service faces the same issues with respect to on premise vs cloud.

Companies tend to lean towards putting everything they can on the cloud these days. Is a pretty complicated set of trades but mostly it comes down to simplicity of deployment on the part of the company offering the service (in this case farmbot) and CapEx (what it costs you to initially buy it) vs OpEx (what it costs you to maintain it on an ongoing basis) on the part of the user.


#6

2-factor authentication solves lot’s of security problems at the user layer. For web code, OWASP has excellent guidelines. I’ll post something on the feature request page…