Skip to content
This repository has been archived by the owner. It is now read-only.

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

MartyMacGyver opened this issue May 21, 2017 · 2 comments


Copy link

@MartyMacGyver MartyMacGyver commented May 21, 2017

The WiFi setup for the ESP8266 should either be over a secure connection (HTTPS or WPA2) or configurable via serial (for example, via a sketch - a common method for this device).

Currently, private credentials are transmitted completely in the clear over the insecure AP network WiFiLink uses for setup, rendering them vulnerable to interception.

Copy link

@jandrassy jandrassy commented Jun 18, 2017

there is a bigger security problem :-). http://#ip address#/config.json

Copy link

@MartyMacGyver MartyMacGyver commented Jun 19, 2017

For whoever triages this, the results of http://192.168.xx.yy/config.json are {"ssid":"your_ssid_name","password":"your_formerly_secret_password"} (with the actual data).

That's pretty bad.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants