Security Issue image does not require password. 8)

Questions? Suggestions? Need help? Talk about anything related to Yawcam...
Post Reply
Drago
Posts: 6
Joined: Sat Feb 20, 2010 1:22 am

Security Issue image does not require password. 8)

Post by Drago »

Hello,

First of all I want to congratulate you Malun, this is one fine piece of software. It's now a vital part of my home server.

I had a hard time finding a cam server that would allow me to use multiple cams, stream via jpegs, do motion capture and ftp upload simultaneously.

Yawcam is just great.

Now to the point, I'm kind of a security freak, and I just don't want anyone to easily hack into my cams and view my house. So I did some very simple checking on the password feature. as it turns out The only thing you need is the url of the pic and it won't even ask you for a password. for example:

http://domain.com:8087/out.jpg?q=30&id=0.126546484865

You don't even need the "r" argument: &r=1344564864684

With only that anyone can see your stream. I know it would be quite difficult for an outsider to get the id parameter, but when you're on a network well pretty much everyone can see the urls you access so the jpg source is quite unprotected.

I have a few questions:

- Yawcam uses a standard webserver? like apache? or is it some custom code done by you
- Can basic authentication via .htpasswd be added?
- How difficult would it be to stream via https?

Mainly all security problems could be addressed by yawcam allowing you to use your own webserver. We could easily stream via apache, with https and even use php with cookies for session variables and authentication. if there is already a way i can stream with my own webserver that would be great.


Also is there a way to reduce the size of the image that is constantly being refreshed? I know you can set the initial size of the actual image's size doesn't change, just the box it is in: for example in one of my cams i have a 720px × 576px image (scaled to 320px × 240px)

Streams would work much faster if you could stream images 320px × 240px and not sending the huge 576 image and scaling it down. Maybe there is already a way to do this if so I would appreciate if someone pointed me in the right direction.

Also have you thougth about making yawcam open source? It would become huge!!! and more people like me would be happy to contribute. The software is already free and I bet that you wish you had more time to add more features. Is there any particular reason why it is not open source?.

Thank you Malun and everyone else for reading my post.

[/list] 8)
bben95
Moderator
Posts: 39
Joined: Thu Feb 04, 2010 2:40 pm

Post by bben95 »

You can change the size of the image using
Settings> Device> Format control
but this affects everything, not just the stream
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

First I'll try to clarify some things about the password protection.

You are right in that if an intruder get hold of the id-string and this id already has been authorized and is currently active in Yawcam the intruder can view the image output. The id-string could be obtained by sniffing the network traffic. But sniffing the the traffic could also reveal the username and password since they are sent in clear text. (Just like in the FTP protocol or .htaccess case addressed below...)
I guess that more than 99% of the Internet users won't be able to access the right network and sniff the traffic to find the information needed to "hack" in to watch your webcam.

Security is a tricky business ;-) One have to decide on what level the security should be on. You can never get totally secure...

What I'm trying to say is that the password protection in Yawcam should be good enough for most home users.


I'll now try to answer your questions...

1) No, Yawcam uses it's own webserver. It's possible to use a standalone server and let Yawcam upload or save images into this webserver. If your standalone webserver is configured for https these images will be transferred in a secure way. File or ftp output can give around 1 fps at maximum. Real streaming via a standalone webserver will not work in secure way though...

2) It's possible that .htaccess/.htpasswd could be added, but since this method also sends the password in clear text it doesn't offer more security than the current solution in Yawcam. With .htaccess the network can be sniffed and password revealed.

3) I guess it could be done, but then you will have the extra work with certificates. You would have to create a certificate that the webserver could use. This is probably too complexed for most webcam users. These certificates will not be trusted by the certificate authorities and a viewer would meet a somewhat scary screen looking something like this:
Image
and would be required to add this certificate as an exception. Due to the complexity and that probably not so many users would use https security adding this function to Yawcam doesn't get so high on the priority list.

/malun
Drago
Posts: 6
Joined: Sat Feb 20, 2010 1:22 am

Post by Drago »

Malun,

Thanks a lot for your prompt response. I agree with you on the security part being enough for most of the people.

Now on another subject, what do you think about making yawcam open source?
Drago
Posts: 6
Joined: Sat Feb 20, 2010 1:22 am

Post by Drago »

bben95 wrote:You can change the size of the image using
Settings> Device> Format control
but this affects everything, not just the stream
I tried changing the size of the stream like you said and I'm still getting the same huge images.

I hope someone can point me in the right direction.
z3r0c00l12
Moderator
Posts: 1210
Joined: Wed Jan 14, 2009 3:50 am

Post by z3r0c00l12 »

Have you tried hosting the Own_Server.html page on your own webserver and changing the settings on the html page to default the scale to the size you want. (The image will still be sent in full resolution, but the stream will be the size you define on the page.)

z3r0c00l12
Drago
Posts: 6
Joined: Sat Feb 20, 2010 1:22 am

Post by Drago »

z3r0c00l12 wrote:Have you tried hosting the Own_Server.html page on your own webserver and changing the settings on the html page to default the scale to the size you want. (The image will still be sent in full resolution, but the stream will be the size you define on the page.)

z3r0c00l12
Hello, The image is being resized correctly what i don't want is broadcast the image in full resolution and then resize it, it's a huge waste of bandwidth.

[/img]
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

I don't want to release Yawcam as open source at the moment. I want complete control of the development right now. I might want to reconsider this decision in the future...

/malun
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

As bben95 says, you will have to change the image size by the options in "Settings> Device> Format control".
In the later beta version it is also possible to change the image size by the clicking: "Settings -> Device -> Change to device..."

All other settings for changing the image size will only scale the image and the same amount of data will be transfered as if the image size is big.

/malun
Post Reply