ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

[bluejedi]

The admin password required for accessing/configuring an ESPEasy node travels the network non-encrypted in clear text.
For MQTT the same problem exists. Usernames and passwords required for accessing MQTT gateways travel over the network non-encrypted in clear text.
Any coworker, hacker (or what have you) that has access to the network can snoop the usernames and passwords.

I would appreciate if the following security features could to be added to ESPEasy:
(As far as I'm aware none of these is yet implemented.)

• HTTPS/TLS access to ESPEasy configuration (UI)
  This requires that a (self-signed) SSL (TLS) server certificate can be configured on the node.
  
• Support for MQTT over TLS
  This requires that the (self-signed) CA certificate (chain) can be configured on the node.
  
• Support MQTT client certificates
  This requires that a (self-signed) client certificate can be configured on the node.
  

Points of thought:
How can (similar to Wifi passwords) simple access to the certificates/passwords config data be prevented/protected?
For example in case of nodes being stolen which is much simpler than stealing a computer, especially in the case of outdoor nodes.

[krikk]

yeah, all this would be nice, but due to current limits of the hardware NOT possible, to few ram, as stated on the wiki:

Do NOT expose the ESP Easy web interface directly to the internet, always make sure that the web interface is only reachable from "trusted/local" networks!

[bluejedi]

yeah, all this would be nice, but due to current limits of the hardware NOT possible, to few ram, as stated on the wiki:

Do NOT expose the ESP Easy web interface directly to the internet, always make sure that the web interface is only reachable from "trusted/local" networks!

Latter statement is not referring to 'too few RAM'. Do you have any pointers for more info about 'too few ram' for the SSL stuff?
Hey, I don't trust any network when security comes into view.

I always had the impression that ESP8266 was a huge improvement over regular Arduino's when comparing memory and CPU specifications.

[krikk]

see closed issue on githubhttps://github.com/letscontrolit/ESPEasy/issues/179

and if you have a look on this recent issue: https://github.com/letscontrolit/ESPEasy/issues/352 ..you will get an impression how much RAM we have left for TLS stuff...

trust me, i would be the first one to implement TLS encryption if it would be possible..

[iron]

Is MQTT TLS not achievable ?

I noticed a few other ESP8266 solutions (tasmota, mongoose, and the likes) that support MQTT TLS

I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.

Publishing sensitive information to the cloud un-encrypted is like asking for trouble.

-D

[enesbcs]

I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.

Although I agree that SSL is a good thing, and this would be very useful in ESPEasy, I would never use a public MQTT server, and i would not recommend to anyone, who is capable to set up a firwall and a dyndns. I think my own data belongs to me, and only to me. Not to mention the travel time of the packages... (local server Vs server somewhere in the world, is it a real question?)
Even a $20 router, or a cheap Raspberry Zero can be used to build an own MQTT server with ~1W consumption.

[iron]

I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.

Although I agree that SSL is a good thing, and this would be very useful in ESPEasy, I would never use a public MQTT server, and i would not recommend to anyone, who is capable to set up a firwall and a dyndns. I think my own data belongs to me, and only to me. Not to mention the travel time of the packages... (local server Vs server somewhere in the world, is it a real question?)
Even a $20 router, or a cheap Raspberry Zero can be used to build an own MQTT server with ~1W consumption.

Not a public server. My own server in the cloud, centralized for all my installations, home, office, summer house, friends house(s).
MQTT is so light and fast the few extra ms of latency literally makes no difference in the home automation, at least to me.

-D