Skip to content
This repository has been archived by the owner. It is now read-only.

/ WiFiLink-Firmware Archived

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

Open
MartyMacGyver opened this issue May 21, 2017 · 2 comments
Open

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

MartyMacGyver opened this issue May 21, 2017 · 2 comments

Comments

@MartyMacGyver
Copy link

@MartyMacGyver MartyMacGyver commented May 21, 2017

The WiFi setup for the ESP8266 should either be over a secure connection (HTTPS or WPA2) or configurable via serial (for example, via a sketch - a common method for this device).

Currently, private credentials are transmitted completely in the clear over the insecure AP network WiFiLink uses for setup, rendering them vulnerable to interception.
@jandrassy
Copy link

@jandrassy jandrassy commented Jun 18, 2017
edited

there is a bigger security problem :-). http://#ip address#/config.json
@MartyMacGyver
Copy link
Author

@MartyMacGyver MartyMacGyver commented Jun 19, 2017

For whoever triages this, the results of http://192.168.xx.yy/config.json are {"ssid":"your_ssid_name","password":"your_formerly_secret_password"} (with the actual data).

That's pretty bad.
@MartyMacGyver MartyMacGyver mentioned this issue Jun 19, 2017
Open
@MartyMacGyver MartyMacGyver mentioned this issue Jul 4, 2017
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@MartyMacGyver @jandrassy