ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

Moderators: grovkillen, Stuntteam, TD-er

Post Reply
Message
Author
bluejedi
Normal user
Posts: 35
Joined: 26 Sep 2016, 14:27

ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#1 Post by bluejedi » 25 Jun 2017, 21:02

The admin password required for accessing/configuring an ESPEasy node travels the network non-encrypted in clear text.
For MQTT the same problem exists. Usernames and passwords required for accessing MQTT gateways travel over the network non-encrypted in clear text.
Any coworker, hacker (or what have you) that has access to the network can snoop the usernames and passwords.

I would appreciate if the following security features could to be added to ESPEasy:
(As far as I'm aware none of these is yet implemented.)
  • HTTPS/TLS access to ESPEasy configuration (UI)
    This requires that a (self-signed) SSL (TLS) server certificate can be configured on the node.
  • Support for MQTT over TLS
    This requires that the (self-signed) CA certificate (chain) can be configured on the node.
  • Support MQTT client certificates
    This requires that a (self-signed) client certificate can be configured on the node.
Points of thought:
How can (similar to Wifi passwords) simple access to the certificates/passwords config data be prevented/protected?
For example in case of nodes being stolen which is much simpler than stealing a computer, especially in the case of outdoor nodes.

krikk
Normal user
Posts: 115
Joined: 28 Feb 2017, 07:57
Location: Austria
Contact:

Re: ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#2 Post by krikk » 25 Jun 2017, 21:30

yeah, all this would be nice, but due to current limits of the hardware NOT possible, to few ram, as stated on the wiki:

Do NOT expose the ESP Easy web interface directly to the internet, always make sure that the web interface is only reachable from "trusted/local" networks!

bluejedi
Normal user
Posts: 35
Joined: 26 Sep 2016, 14:27

Re: ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#3 Post by bluejedi » 25 Jun 2017, 21:53

krikk wrote:
25 Jun 2017, 21:30
yeah, all this would be nice, but due to current limits of the hardware NOT possible, to few ram, as stated on the wiki:

Do NOT expose the ESP Easy web interface directly to the internet, always make sure that the web interface is only reachable from "trusted/local" networks!
Latter statement is not referring to 'too few RAM'. Do you have any pointers for more info about 'too few ram' for the SSL stuff?
Hey, I don't trust any network when security comes into view.

I always had the impression that ESP8266 was a huge improvement over regular Arduino's when comparing memory and CPU specifications.

krikk
Normal user
Posts: 115
Joined: 28 Feb 2017, 07:57
Location: Austria
Contact:

Re: ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#4 Post by krikk » 25 Jun 2017, 22:36

see closed issue on githubhttps://github.com/letscontrolit/ESPEasy/issues/179

and if you have a look on this recent issue: https://github.com/letscontrolit/ESPEasy/issues/352 ..you will get an impression how much RAM we have left for TLS stuff... :)

trust me, i would be the first one to implement TLS encryption if it would be possible..

User avatar
iron
Normal user
Posts: 85
Joined: 24 Sep 2016, 08:37
Location: Veria, Greece
Contact:

Re: ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#5 Post by iron » 26 Jan 2019, 20:55

Is MQTT TLS not achievable ?

I noticed a few other ESP8266 solutions (tasmota, mongoose, and the likes) that support MQTT TLS

I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.

Publishing sensitive information to the cloud un-encrypted is like asking for trouble.

-D
-D

User avatar
enesbcs
Normal user
Posts: 427
Joined: 18 Jun 2017, 11:02
Location: Békéscsaba, Hungary
Contact:

Re: ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#6 Post by enesbcs » 26 Jan 2019, 21:33

iron wrote:
26 Jan 2019, 20:55
I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.
Although I agree that SSL is a good thing, and this would be very useful in ESPEasy, I would never use a public MQTT server, and i would not recommend to anyone, who is capable to set up a firwall and a dyndns. I think my own data belongs to me, and only to me. Not to mention the travel time of the packages... (local server Vs server somewhere in the world, is it a real question?)
Even a $20 router, or a cheap Raspberry Zero can be used to build an own MQTT server with ~1W consumption.

User avatar
iron
Normal user
Posts: 85
Joined: 24 Sep 2016, 08:37
Location: Veria, Greece
Contact:

Re: ESPEasy Security - SSL/TLS, MQTT over TLS and certificates

#7 Post by iron » 26 Jan 2019, 21:42

enesbcs wrote:
26 Jan 2019, 21:33
iron wrote:
26 Jan 2019, 20:55
I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.
Although I agree that SSL is a good thing, and this would be very useful in ESPEasy, I would never use a public MQTT server, and i would not recommend to anyone, who is capable to set up a firwall and a dyndns. I think my own data belongs to me, and only to me. Not to mention the travel time of the packages... (local server Vs server somewhere in the world, is it a real question?)
Even a $20 router, or a cheap Raspberry Zero can be used to build an own MQTT server with ~1W consumption.
Not a public server. My own server in the cloud, centralized for all my installations, home, office, summer house, friends house(s).
MQTT is so light and fast the few extra ms of latency literally makes no difference in the home automation, at least to me.

-D
-D

Post Reply

Who is online

Users browsing this forum: No registered users and 23 guests