Subscriber Discussion

HTTPS - How Useful Is To For IP Cameras?

Hello, Recently I saw a project for a bank where it was asking that cameras has HTTPS. As far as I know, Https is only for camera setup. The video information goes to VMS via RSTP. Can anyone help me and explain the advantages in use cameras with HTTPS?

The idea to me would be that if the VMS is periodically connecting to the cameras, that connection will be secure and encrypted so that someone running a packet snooper wouldn't be able to grab user/pass that the server is connecting with. Also I have to think that there is some camera/VMS platform that supports secure/encrypted connection for a video stream...

Luis, I concur with Sean.

Here's some stats on use of https:

And here's a comment from fellow group member Luis Carmona:

"You can use self signed certificate or one that comes with the hardware. You just get a warning when you access the device that the certificate is not from "a trusted authority". That means it can be spoofed by interception- the "man in the middle" attack. You can get registered certificates from most Internet registrars like Network Solutions, GoDaddy and Verisign, etc.

I doubt the overhead is noticeable with today's hardware, so I don't see it causing slower access.

The lack of HTTPS support is again one of those oxymorons for the security industry and where there industry really lags in modern computer and network concepts."

And here's a comment from Brian Karas at VideoIQ:

"Our cameras support HTTP and HTTPS options (it's in one mode or the other, you can't have "mixed" support). I'd say HTTPS is used maybe 10% of the time, and even then probably only because it's just a checkbox to enable it.

IME, people who *really* want data encryption control implement VPNs, and in many cases limit source IPs so that the camera is not discoverable from the public Internet in the first place."

And another from him:

"It just seems like certain customers or integrators have a healthy paranoia and implement HTTPS or VPN's as a matter of course."

Here's Wagner, a VMS developer commenting on Axis's support:

"Axis cameras support RTSP over HTTP method to stream data, so turning on HTTPS in this case will make the video to be sent over this "secure" channel. But that couldn't be true for other vendors, where the video could still be streamed over a plain RTSP connection."

And finally here's a technical note on implementing https with Axis cameras and Aimetis VMS, a seemingly time consuming process.

Luis -

I'll give you another bit of advice. Find out *why* they require that. Who specifically requested it, and what problem are they solving with it?

This is a perfect example of how manufacturers can sometimes manipulate specs to limit competition. For example, as John pointed out in my quote in his comment, our cameras support HTTP and HTTPS, and support tunneling of video over those protocols as well. If there was a large project and I wanted to skew things in my favor, I could try and convince them to write in that the cameras must support HTTPS for "security" purposes, even though this would have little practical beenfit. That then would automatically eliminate from the competition any camera that DIDN'T support HTTPS, even though those cameras might otherwise be a perfect fit.

Anytime I see a requirement for something that seems puzzling for the given application I try to drill down to find out exactly how and why that requirement got into the spec. In more than one case I've seen instances where it was put in there as a "blocker", but working with the customer to understand what they were really trying to achieve earned me far more consideration in the proposal.

Just some things to consider...

John, you need to get that Like/Thanks/Upvote thing working so I can do it to Brian's post!

If data security is the primary concern, the bank should also be concerned about the secuirty vulnerabilities of the cameras and VMS, not just the transport. Video is encrypted by our cameras when recorded, transported encrypted and stored encrypted.