The DataHub program offers SSL encryption for Tunnel/Mirror, MQTT, and for making HTTPS connections to WebView or the Web Server. The SSL implementation uses the default SSL-3 encryption cipher: DHE-RSA-AES256-SHA, which is a 256-bit encryption method.
An SSL certificate is required to use SSL encryption on a DataHub instance. A default SSL certificate is installed with the DataHub program, or you can use your own certificate.
The certificate in the DataHub installation is a self-signed certificate with an expired end-date. This makes the certificate invalid when checked by the client side of the connection, which is intentional. It is impossible for us to ship a valid certificate. A valid certificate must be issued for the particular domain name or IP address that is hosting the server, and we cannot predict what that will be on your system. In addition, if we ship a certificate it will contain the private key, and anybody else who downloads and installs the DataHub program will also have the same private key. This means that using a certificate that is bundled into the DataHub installer will not protect you from malicious attacks—it will not provide reliable identification of the server, and it will not provide trustworthy encryption. Anybody with access to the certificate and Wireshark can decrypt the entire SSL conversation.
The reason we provide the DataHub self-signed SSL certificate is so that you can easily make encrypted connections from within a trusted environment, where you require encryption but don’t want to manage and renew certificates on each of your DataHub installations. Because the SSL certificates are checked by the client side of the connection (the side that is initiating the connection), we provide options in the DataHub program to ignore invalid certificates, which in turn allows you to use the self-signed SSL certificate we ship with the DataHub program. For Tunnelling, these options are in the configuration of the Tunnel Slave connection. For applications that connect to the DataHub Web Server such as WebView and Remote Config, the options to ignore invalid certificates are provided on the login screens where you enter your username and password. For MQTT, this option is in the Use SSL option of the Authentication configuration.
If you are working in an untrusted environment and are required to have a valid SSL certificate on a DataHub instance, then you must either generate your own certificate using a trusted certificate authority, or get a certificate from a trusted public certificate authority like Verisign or Comodo. In this case you would then configure the DataHub instance to use your trusted certificate and you would disable the options to ignore invalid certificates when making a WebView, MQTT, Tunnel, or Remote Config connection, as applicable.
The DataHub program lets you specify which ports it will use for tunnelling/mirroring over a network. Firewalled ports can be secured, because if you open a port on the firewall, any program that attempts to connect on this port will need to be able to communicate with a DataHub instance that is listening on that port. As long as authentication is used for tunnelling, even a user who attempts to connect using another DataHub instance will need to have access to a valid username and password.