Consider using SCRAM authentication for the home assistant frontend

[kaelonR]

Having recently started using Home Assistant on a repurposed Intel NUC, I've noticed that the UI is served over http. This means that network traffic to the NUC is sent in plain text, including the username/password authentication.

I think this poses a bit of a security risk, if the local network is not properly configured to separate guest traffic, or if someone gains unauthorized access to the network, they could eavesdrop on the authentication request and get their hands on my credentials.

I understand why the frontend is served over http; using https requires setting up SSL certificates, and not everyone will have the appetite or know-how to do this. However, a solution exists in the form of SCRAM authentication. SCRAM is a password-based mutual authentication protocol, where the client provides proof to the server that it knows a secret derived from the password, and where the server provides proof to the client that it knows the secret, without the password ever being sent across the wire. This means any eventual eavesdroppers will only get to see hashes, and never the actual password they need to authenticate.

Figured I'd open this issue first to test the waters and see if people are interested. I'm willing to contribute to HomeAssistant and help implement this protocol if this is something the maintainers and community around HomeAssistant would like to see.