Moderators: grovkillen, Stuntteam, TD-er
-
bluejedi
- Normal user
- Posts: 35
- Joined: 26 Sep 2016, 14:27
#1
Post
by bluejedi » 25 Jun 2017, 21:02
The admin password required for accessing/configuring an ESPEasy node travels the network non-encrypted in clear text.
For MQTT the same problem exists. Usernames and passwords required for accessing MQTT gateways travel over the network non-encrypted in clear text.
Any coworker, hacker (or what have you) that has access to the network can snoop the usernames and passwords.
I would appreciate if the following security features could to be added to ESPEasy:
(As far as I'm aware none of these is yet implemented.)
- HTTPS/TLS access to ESPEasy configuration (UI)
This requires that a (self-signed) SSL (TLS) server certificate can be configured on the node.
- Support for MQTT over TLS
This requires that the (self-signed) CA certificate (chain) can be configured on the node.
- Support MQTT client certificates
This requires that a (self-signed) client certificate can be configured on the node.
Points of thought:
How can (similar to Wifi passwords) simple access to the certificates/passwords config data be prevented/protected?
For example in case of nodes being stolen which is much simpler than stealing a computer, especially in the case of outdoor nodes.
-
krikk
- Normal user
- Posts: 118
- Joined: 28 Feb 2017, 07:57
- Location: Austria
-
Contact:
#2
Post
by krikk » 25 Jun 2017, 21:30
yeah, all this would be nice, but due to current limits of the hardware NOT possible, to few ram, as stated on the wiki:
Do NOT expose the ESP Easy web interface directly to the internet, always make sure that the web interface is only reachable from "trusted/local" networks!
-
bluejedi
- Normal user
- Posts: 35
- Joined: 26 Sep 2016, 14:27
#3
Post
by bluejedi » 25 Jun 2017, 21:53
krikk wrote: ↑25 Jun 2017, 21:30
yeah, all this would be nice, but due to current limits of the hardware NOT possible, to few ram, as stated on the wiki:
Do NOT expose the ESP Easy web interface directly to the internet, always make sure that the web interface is only reachable from "trusted/local" networks!
Latter statement is not referring to 'too few RAM'. Do you have any pointers for more info about 'too few ram' for the SSL stuff?
Hey, I don't trust
any network when security comes into view.
I always had the impression that ESP8266 was a huge improvement over regular Arduino's when comparing memory and CPU specifications.
-
iron
- Normal user
- Posts: 221
- Joined: 24 Sep 2016, 08:37
- Location: Greece
-
Contact:
#5
Post
by iron » 26 Jan 2019, 20:55
Is MQTT TLS not achievable ?
I noticed a few other ESP8266 solutions (tasmota, mongoose, and the likes) that support MQTT TLS
I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.
Publishing sensitive information to the cloud un-encrypted is like asking for trouble.
-D
-D
-
enesbcs
- Normal user
- Posts: 587
- Joined: 18 Jun 2017, 11:02
- Location: Békéscsaba, Hungary
-
Contact:
#6
Post
by enesbcs » 26 Jan 2019, 21:33
iron wrote: ↑26 Jan 2019, 20:55
I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.
Although I agree that SSL is a good thing, and this would be very useful in ESPEasy, I would never use a public MQTT server, and i would not recommend to anyone, who is capable to set up a firwall and a dyndns. I think my own data belongs to me, and only to me. Not to mention the travel time of the packages... (local server Vs server somewhere in the world, is it a real question?)
Even a $20 router, or a cheap Raspberry Zero can be used to build an own MQTT server with ~1W consumption.
-
iron
- Normal user
- Posts: 221
- Joined: 24 Sep 2016, 08:37
- Location: Greece
-
Contact:
#7
Post
by iron » 26 Jan 2019, 21:42
enesbcs wrote: ↑26 Jan 2019, 21:33
iron wrote: ↑26 Jan 2019, 20:55
I do not want to host an MQTT server in my house, and in every friend's house that I recommend / install ESPEasy h/w at.
Although I agree that SSL is a good thing, and this would be very useful in ESPEasy, I would never use a public MQTT server, and i would not recommend to anyone, who is capable to set up a firwall and a dyndns. I think my own data belongs to me, and only to me. Not to mention the travel time of the packages... (local server Vs server somewhere in the world, is it a real question?)
Even a $20 router, or a cheap Raspberry Zero can be used to build an own MQTT server with ~1W consumption.
Not a public server. My own server in the cloud, centralized for all my installations, home, office, summer house, friends house(s).
MQTT is so light and fast the few extra ms of latency literally makes no difference in the home automation, at least to me.
-D
-D
Who is online
Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 31 guests