Skip to content
This repository has been archived by the owner. It is now read-only.

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

Open
MartyMacGyver opened this issue May 21, 2017 · 2 comments

Comments

@MartyMacGyver
Copy link

@MartyMacGyver MartyMacGyver commented May 21, 2017

The WiFi setup for the ESP8266 should either be over a secure connection (HTTPS or WPA2) or configurable via serial (for example, via a sketch - a common method for this device).

Currently, private credentials are transmitted completely in the clear over the insecure AP network WiFiLink uses for setup, rendering them vulnerable to interception.

@jandrassy
Copy link

@jandrassy jandrassy commented Jun 18, 2017

there is a bigger security problem :-). http://#ip address#/config.json

@MartyMacGyver
Copy link
Author

@MartyMacGyver MartyMacGyver commented Jun 19, 2017

For whoever triages this, the results of http://192.168.xx.yy/config.json are {"ssid":"your_ssid_name","password":"your_formerly_secret_password"} (with the actual data).

That's pretty bad.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants