0

I have a site that I would like to remotely monitor purely for the uptime status of my home network. I don't want to expose my router sign-on page to the internet, so instead, I point to the login page of one of my security cameras.

The external uptime robot monitors the site and makes an HTTPS connection attempt, and it is satisfied when it receives a certificate error and it considers the site up and running.

Is this safer than calling the site on the robot with HTTP instead where I expose the connection? So, the basis of my question is, is a broken SSL connection attempt still safer than a non-SSL connection? In other words, is a broken SSL connection attempt still encrypted?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Gordon
  • 1
  • "safe" from what? What do you want to prevent? – schroeder Aug 21 '21 at 16:20
  • Why do you want the robot's failed connection encrypted? – schroeder Aug 21 '21 at 16:22
  • I just want to conceal the attempted SSL tunnel creation from the view of the third party. Where I am making the possible assumption of, if I attempt to make an SSL connection as opposed to non-SSL, my connection attempt is less exposed to any sniffing activity that may take place. The uncertainty I have which is the basis for the question, does a broken SSL connection offer any protection over an non-SSL in this scenarion. – Gordon Aug 21 '21 at 17:01
  • HTTP or HTTPS those seeing the traffic will see the IP and port. That's enough to know that a connection can be made. So, what do you mean by "less exposed"? What does that mean to you? – schroeder Aug 21 '21 at 17:08
  • 1
    I'm completely confused here! *"... I don't want to expose my router sign-on page to the internet..."* If you have an internet accessible router sign-on page, it's already exposed to the internet. *"... I point to the login page of one of my security cameras ..."* You have security camera logins directly exposed to the internet? *"... it is satisfied when it receives a certificate error..."* Are you suggesting that this is **not** HTTPS or that it is self-signed? *"... is a broken SSL connection attempt still safer than a non-SSL..."* Until the SSL is **completed**, it's **not** encrypted. – user10216038 Aug 21 '21 at 17:37

1 Answers1

0

A self signed SSL certificate is still a perfectly valid certificate. The correct question is: Do I want (as a client) to accept that certificate or not?

In other words, someone who wants to see that camera login page can simply accept the certificate.

If you want to play it safe, you should (1) block your cameras and (2) create a separate HTTP page which, for example, returns a timestamp. For example, in an index.php file:

<?php
echo date('U');

Then you can check that the clock is working as well (make sure the robot doesn't cache the page either).

Alexis Wilke
  • 862
  • 5
  • 19