New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

Open
MartyMacGyver opened this Issue May 21, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@MartyMacGyver

MartyMacGyver commented May 21, 2017

The WiFi setup for the ESP8266 should either be over a secure connection (HTTPS or WPA2) or configurable via serial (for example, via a sketch - a common method for this device).

Currently, private credentials are transmitted completely in the clear over the insecure AP network WiFiLink uses for setup, rendering them vulnerable to interception.

@jandrassy

This comment has been minimized.

jandrassy commented Jun 18, 2017

there is a bigger security problem :-). http://#ip address#/config.json

@MartyMacGyver

This comment has been minimized.

MartyMacGyver commented Jun 19, 2017

For whoever triages this, the results of http://192.168.xx.yy/config.json are {"ssid":"your_ssid_name","password":"your_formerly_secret_password"} (with the actual data).

That's pretty bad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment