Hi Milestone Team,
We are creating an integration with MIlestone Mobile Server using Milestone Mobile Javascript SDK but it requires hosting Mobile Server on a publicly accessible server.
As users can access the website and Milestone video feeds from the public internet how can we integrate with Milestone Mobile Server securely without any security risk?
I also noticed that the WebSocket connection created with the Mobile server for video streaming is not secured and can be accessed without token/authentication.
Let me know if I’m missing anything.
Thank you!
As a start I would like point to the XProtect VMS Hardening Guide. I think this is the document you need to know if dealing with security in MIlestone XProtect generally. https://doc.milestonesys.com/latest/en-US/portal/htm/chapter-page-hardening-guide.htm
For your comment on the token I asked expert colleagues and they said:
"However, our current security measures are designed to mitigate this risk. The unique ID is shared exclusively over a secure https connection, which ensures the confidentiality and integrity of the data in transit. Furthermore, the unique ID is only valid for a limited duration, reducing the window of opportunity for any potential misuse.”
PSIRT Team said:
“The security relies on randomly generated ID that is valid only for a short period of time. It is a similar concept as, for example, session cookies. The point here is that those Ids are not easily guessable and there shouldn’t be any way for malicious actors to obtain them.”
If you wonder what PSIRT is please see - https://www.milestonesys.com/support/help-and-documentation/cyber-security/psirt/