Skip to content
This repository was archived by the owner on Feb 19, 2020. It is now read-only.

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

Open
MartyMacGyver opened this issue May 21, 2017 · 2 comments
Open

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

MartyMacGyver opened this issue May 21, 2017 · 2 comments

Comments

@MartyMacGyver
Copy link

The WiFi setup for the ESP8266 should either be over a secure connection (HTTPS or WPA2) or configurable via serial (for example, via a sketch - a common method for this device).

Currently, private credentials are transmitted completely in the clear over the insecure AP network WiFiLink uses for setup, rendering them vulnerable to interception.
@JAndrassy
Copy link

JAndrassy commented Jun 18, 2017
edited
Loading

there is a bigger security problem :-). http://#ip address#/config.json

@MartyMacGyver
Copy link
Author

For whoever triages this, the results of http://192.168.xx.yy/config.json are {"ssid":"your_ssid_name","password":"your_formerly_secret_password"} (with the actual data).

That's pretty bad.

@MartyMacGyver MartyMacGyver mentioned this issue Jun 19, 2017
Open
@MartyMacGyver MartyMacGyver mentioned this issue Jul 4, 2017
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MartyMacGyver @JAndrassy