SSL and https

We in Telldus take Security very seriously. As soon as information about the Drown and Poodle attacks on SSL was published, we started to examine the affects and the resolution to these issues.

With this message we would like to assure you, that apart from Security, user satisfaction is one key foundation defining how we work. This is also one of the reasons, we are delayed with the resolution. To deal with these vulnerabilities, we had the option to close down TelldusCenter and support you to instead setting up Telldus Live! via our new TellStick Gateways. That would mean swapping the old TellStick with Version 2 of our Gateway. This is in our opinion the best option for you who are using TelldusCenter, and in the process also get to the optimum security and feature set that we today have. In short, we want you to not be left behind but walk with us towards a safer, more secured Smart Home Solution as compared to the old version.

But we haven’t closed down Telldus Live!-access for TelldusCenter because we want to affect your running setups as little as possible, and keep your options open, therefore we chose to upgrade TelldusCenter. This is taking more time than expected due to the complexity and we are working hard to finalize these changes which we believe should happen shortly. Once done, these vulnerabilities will be removed.

In addition to this, we have also decided on a few other Security updates and restructuring, that would allows us to better separate servers that needs to remain open for TelldusCenter from the others. These upgrades will also allow us to turn on https as default for the Telldus Live!-web.

Update 2018-02-28:
As some of you have noticed, there is a difference between servers regarding what SSL versions they accept. We are only using api.telldus.com for TelldusCenter and that URL is now considered legacy. If you are connecting to our API using SSL, you should use pa-api.telldus.com instead.

Comments

1. marcus assarlind <nmeden@…> -- 2018-02-27 22:19

If you take security very seriously, maybe you should enable 2 factor authentication? And maybe url calls to other services over https?