Homeway's Security
We are committed to building Homeway with the strongest and best security possible.
We make Homeway for the Home Assistant community, and our only goal is to provide a fantastic, private, and secure remote access solution. Security is the first consideration for every new feature; if we can't build it securely, we don't.
Homeway never sells or stores your Home Assistant information. This includes any data tunneled through our servers for remote access; after the data has been relayed, it's deleted. For full details, see our Privacy Page.
This page covers the security that protects your Home Assistant remote access. We are a community-driven project; if you have any questions, concerns, or clarifications, don't hesitate to contact us directly.
Overview
Let's start with a quick overview of the security model behind Homeway. After that, we will do a deep dive into each component and detail as much information as possible.
👩 Accounts
Security starts with your account. We encourage users to set strong passwords when creating accounts. We offer Google and Apple as 3rd party login providers, which leverages these providers' account security measures as the first line of security. Adding another layer of security, Homeway will require an emailed code challenge for any login on a new IP. Finally, we optionally offer a code-based 2-factor login challenge that can be enabled on any account.
💻 Servers
Next, server security. When your browser talks to our services, it uses the most modern standard for web security, TLS1.3. This is the same tech used by your bank, government websites, and online retailers. Our SSL certificates are minted by Let's Encrypt from a bot running on each server. We have achieved an A+ security rating with our server and SSL configuration. The certificates are created and used per server and never leave the servers. We strive to stay up-to-date on the latest web server security best practices. For example, we use just-in-time access, require HSTS and HSTS preloading, and bug bounty programs, just to name a few. For a full list, see the details below.
🏠 Add-on For Home Assistant
Moving on to our Home Assistant add-on. Our Homeway add-on connects to our worldwide server network using the same TLS connection as your web browser. This connection is established using a secure WebSocket from the add-on, meaning no port forwarding or mapping is required. Your home router, Home Assistant server, and device are not exposed to the public internet in any way.
As part of the WebSocket handshake, we take security even further. The add-on generates a random challenge, which is sent to the server. The server must sign and return the challenge with its private key, allowing the add-on to verify the signature with the public key. If the challenge fails, the add-on will not connect to the server. While this has some redundancy with the TSL WebSocket connection, if a bad actor was able to generate a valid homeway.io certificate or got control of the homeway domain, since the bad actor won't have the server's private key, add-ons won't connect.
🚀 End-To-End Remote Access
Finally, the end-to-end picture. We use many layers of security to provide the best security possible. First, when your browser makes a request to our Homeway servers, the server verifies you're logged in, and your session credentials are valid. Thus, your user account strength is the first security layer for all remote access. Next, the request is tunneled from our servers to our add-on. Our add-on makes requests to Home Assistant the same way your browser would if the browser was on your local network. The second layer of security is the Home Assistant user login system.
Homeway does not store any information on our servers, including your password or any of your logged-in user session information from Home Assistant. Meaning even if someone had your Homeway user information and logged in to your Homeway account, they would still need to log into your Home Assistant server for access.
🥰 Summary
Our remote access solution elegantly allows significant security but also offers incredible convenience. Our service has been built with the community's feedback and hundreds of engineering hours. We are incredibly proud of what we have made, but there's always room for improvement. If you have any ideas, concerns, or feedback on how we could improve, please contact us directly; we would love to hear from you.
🪸 Deep Dives
The deep dives on each technical section of our server are coming soon. It took a lot of effort just to write this much! 🙌