#232

Подписаться 475 тыс.

Просмотров 114 тыс.

50% 1

Most of our IOT devices are insecure and vulnerable. It’s high time to learn how to make them more secure, also because unsecured devices will no more be able to use valuable services without using the HTTPS protocol. Already now, Google services, for example, do no more accept unsecured connections. But is it complicated? Let’s find out!
Our ESP8266 and ESP32s support such secure connections. In this video, I will show you, how to change your unsecured sketches it in a few simple steps. And you will learn some basics about encryption and certificates. Which you can use during the next discussion with your boss or your colleagues.
We will cover:
1. How does SSL work? We just need the most basic knowledge
2. How can we access cloud services using HTTPS with our ESP8266 and ESP32?
3. How can we create trust?
4. How much memory is needed on our devices?
Links:
Sketches: github.com/SensorsIot/HTTPS-f...
Supporting Material and Blog Page: www.sensorsiot.org
Github: www.github.com/sensorsiot
My Patreon Page: / andreasspiess
My Bitcoin address: 19FSmqbBzb5zsYB1d8Bq4KbxVmezToDNTV
If you want to support the channel, please use the links below to start your shopping. No additional charges for you, but I get a commission (of your purchases the next 24 hours) to buy new stuff for the channel
For Banggood bit.ly/2jAQEf4
For AliExpress: bit.ly/2B0yTLL
For ebay.com: ebay.to/2DuYXBp
profile.php?...
/ spiessa
www.instructables.com/member/...
Please do not try to Email me or invite me on LinkedIn. These communication channels are reserved for my primary job
Equipment in my lab: www.sensorsiot.org/my-lab/

Наука

Опубликовано:

12 окт 2018

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 381

@zvpunry1971 5 лет назад

Comparing the CAs to the Mafia was absolutely great! :)

@GRBtutorials 5 лет назад

Yes, especially considering they get a lot of money as well.

@AndreasSpiess 5 лет назад

Thank you!

@wiebel7569 5 лет назад

Absolutely nailed it.

@Kyle-ye4nj 5 лет назад

Totally agreed!

@alejandrov9500 3 года назад

One or two years ago I saw a series of your videos that I really liked. These days I spend hours learning from your videos. The explanations are among the best I have heard in my entire life, the format and presentation are excellent. You are a very good communicator, the speech is clear, precise and summarized. I also like your humor and comments, it makes the content lighter. Sincerely grateful for sharing your knowledge in this way and working so hard to make these super lessons.

@AndreasSpiess 3 года назад

Thank you for your nice words! Glad my videos are helpful.

@altosack 3 года назад

Fantastic! I had used public/private key encryption for years, both as a user and a programmer, without really understanding how it works; I only thought I did. You explained it simply, and in a way I will never forget, before minute five in this video. Bravo, sir!

@AndreasSpiess 3 года назад

Glad it helped!

@sethrd999 5 лет назад

This is a great intro into SSL for anyone new to the subject, I do alot of conversions myself as I use ( mostly dreaded ) KeyStore/TrustStore in Java and have to provide the chains as you describe in the browser. I would just add that anyone venturing into this territory ( even under windows ) to familiarize yourself with the openssl command and its syntax, just be aware that I have found some quirks with windows that the only work around I found was to move all the required files to a linux system ( VM ) and finish up there. I to use letsencrypt using the certbot engine to roll my keys when they expire automatically ( In my home ), super slick and easy to get up and going once you understand the basic principles. Great video as always.

@AndreasSpiess 5 лет назад

Thank you! I think your comment is more for the server side. In this video, I tried to focus on the client/IOT side to be able to access HTTPS servers. So far I never built a server myself (other than my Raspberries behind my firewall).

@gte24v 5 лет назад

Excellent video, thank you. I loved the Mafia parallel, "is he a friend of yours, or is he a friend of *ours*?" as a colleague used to say at work a few years ago. This is something I have been meaning to do for quite some time and your explanation made it even simpler. :-)

@AndreasSpiess 5 лет назад

This was the purpose of the video!

@tonybell1597 5 лет назад

Thanks Andreas, perfect, all boiled down to what we need to know.... Feel confident to get it done in my own sketches now....

@AndreasSpiess 5 лет назад

Glad to read that. Thank you!

@c2h7 4 года назад

Even though I already know most of the SSL details and almost skipped forward, I'm glad I didn't because you explain things very nicely. So well that even after reading about HTTPS from 3-5 different sources, it finally clicks when you explain it. You should teach professionally :-)

@AndreasSpiess 4 года назад

Thank you. I teach sometimes at Universities. But here I have a bigger audience ;-)

@geros9503 5 лет назад

Thank you Andreas, great explanation. Loved the Mafia comparison.

@AndreasSpiess 5 лет назад

You are welcome!

@velox__ 4 года назад

I had just about given up on this, but this got me on the right track! Thank you!

@AndreasSpiess 4 года назад

You are welcome!

@PhG1961 5 лет назад

Great video and an excellent tutorial on security which usually doens't get too much attention.

@AndreasSpiess 5 лет назад

It is not only about security. If our cloud services change, we will no more be able to use them :-(

@asiw 5 лет назад

Excellent. Thank you for making a complex subject accessible. Wouldn't it be nice if we didn't have to do this but unfortunately there are always some people who will try to cheat.

@AndreasSpiess 5 лет назад

:-) I think cheating was already in the first plans of whoever designed humans...

@SolarWebsite 5 лет назад

This is extremely informative, thank you very much.

@AndreasSpiess 5 лет назад

You are welcome!

@freeelectron8261 5 лет назад

That "guy with a Swiss accent" sure is smart! Thanks Andreas another great lesson :)

@AndreasSpiess 5 лет назад

You are welcome!

@michelebernasconi375 5 лет назад

Great practical tutorial, thanks a lot!

@AndreasSpiess 5 лет назад

You are welcome!

@northshorepx 5 лет назад

This is something at everyone should be thinking about before any communications take place!

@AndreasSpiess 5 лет назад

I hope I am able to remove some of the fear many people have to start with this technology.

@northshorepx 5 лет назад

yes Andreas -your down to earth tutorials really do help!

@andybarnard4575 5 лет назад

I agree we should think about data security. Having done so I use two alternative approaches to securing traffic with esp8266. Firstly put http traffic from esp8266 through a VPN tunnel if endpoints are controlled, secondly use SSL reverse proxy server. A raspberry pi or similar can perform both functions.

@slinco65 5 лет назад

@@andybarnard4575 would you explain to us how you do that please?

@andybarnard4575 5 лет назад

At a high level, yes, for detail I always use Google... I use esp8266s mostly as servers, not clients, and I use orange pi on armbian for the SSL part. For reverse proxy 1. install apache on a suitable server (apt-get install apache2 or similar...) 2. get a dynamic dns name (eg. from afraid.org, use their updating script) 3. get a lets encrypt cert from certbot.org use full automatic method 3. configure local router to always give ESP8266 server same LAN IP address 4. install apache_mod proxy and configure using the 'digitial ocean' guide (google reverse proxy and digital ocean). 5. Access esp8266 securely over internet. 6. In VPN scenario you have two sites both with dynamic DNS e.g. as step 2 and a box at each end 7. Install VPN server on one site, VPN client on another. 8. Many solutions for this e.g. open vpn again use digital ocean config guide, but for other reasons I use L2TP with client from a Mikrotik RouterOS running on a HAP lite and configure a server on the main site using Softether VPN. Both have good config guides. On server side need to make sure firewalls and portforwading is configured. Thats how I do it, and just as a for instance. Result is ESP8266 sketches communicating over internet in secure manner but without having to deal with SSL themselves. Hope the concepts at least are of some use to you.

@MultigrainKevinOs 5 лет назад

excellent video! thanks fro pulling all the information together to help explain certs, its always been something i only quasi knew how it functioned but this sure clears it up and i want to update my DIY sketches now to secure them :)

@AndreasSpiess 5 лет назад

The same on this end. So I invested the time to learn it and thought it might be of value for others...

@UMERLEO 5 лет назад

thanks alot. i can now explain with confidence if someone asks me instead of blabbering on. Couldnt find any easy explanation/comparison elsewhere.

@AndreasSpiess 5 лет назад

I also had to search and combine different sources...

@thesimbon 5 лет назад

Thanks again for another useful video and the sketches too.

@AndreasSpiess 5 лет назад

You are welcome!

@geralde.5724 5 лет назад

In the esp8266 versions you have "connect(); verify(); connect(); send()", you can leave the second connect() out. Good to see the esp getting better at tls encryption!(when i researched the cert method wasn't available yet)

@AndreasSpiess 5 лет назад

Thanks for the tip. I used the example files and did not bother too much...

@avejst 5 лет назад

Fantastic video. Thanks for sharing 👍😀

@AndreasSpiess 5 лет назад

You are welcome!

@4.0.4 5 лет назад

When I first started reading about the ESP8266 when it came out, one of the first things I thought was "ok, but what about encryption?" and was surprised at how hard it was, and how uncommon. Today's IoT infrastructure is pretty unsafe. I think the best model right now is to use SBCs as central hubs to microcontrollers, since even the cheapest $10 SBCs can do HTTPS just fine. Sometimes, even the work of microcontrollers can be done by the SBC, especially when it isn't timing-critical. Plus you can then code logic as scripts rather than C. Microcontrollers shine when low-power and real-time processing is required, but the difficulty to make them secure must not be ignored. It's always good to assume that these devices aren't safe and consider the implications. "What could a hacker do with this?" For things like lamp colors, air conditioner automation, motorized blinds, homemade weather stations, etc - then even HTTP is good enough.

@AndreasSpiess 5 лет назад

I agree. My problem was more that many companies do no more accept HTTP connections. And I find the combination of ESPs and cloud services a good thing.

@iangster3216 5 лет назад

I wish I was swiss you have so much freedom there

@AndreasSpiess 5 лет назад

We also have our wives who restrict it considerably ;-)

@digitalartee 2 года назад

Great vid !

@AndreasSpiess 2 года назад

Thank you!

@electronic7979 5 лет назад

Useful video 👍 Excellent 👍

@AndreasSpiess 5 лет назад

Thank you!

@rgmtb 5 лет назад

Wow, this is a pretty complex topic. It’s gonna take some practice to get my head around it for sure.

@AndreasSpiess 5 лет назад

I also only understand the basics ;-)

@niekbeijloos8355 4 года назад

Thank you!

@BreakingBytes32 3 года назад

thanks lot.... my smart home system with telegram bot stopped working few days ago due to this issue.... i didn't found any documents or tutorial to understand this...... but now i think i can make it work again... thanks a lot 🙂

@AndreasSpiess 3 года назад

Glad I could help

@sbx320 5 лет назад

Some notes: - If you are running the server (for example when communicating between an esp32 and your PC) you can also create your own certificate authority and make your client esp32 trust that CA. Usually referred to as "self signed" certificates. Same security, less Mafia :) - For validation via fingerprints you can also use the fingerprint of the certificate authority (or any other point in the chain). Not sure if that's easily available with WifiClientSecure (my esp32 is still in the mail) - Supporting more cipher suites may actually be bad, as an attacker can remove secure ciphers from that list via a downgrade attack. Therefore you might end up using an insecure cipher. If you control the server, other options may actually be better for performance. For example you could avoid the asymmetric crypto part by supplying your device with a static symmetric key once. If you only care about integrity (no one else may edit the data) and not about confidentiality (no one else may see the data) just signing the data is enough. Not sure how much of those is exposed in easy to use libraries for the esp32, but since it can do https, both ideas should be fairly easy to achieve.

@AndreasSpiess 5 лет назад

Thank you for your comment. This video was focussed on accessing available services outside the firewall. So far, I do not encrypt the traffic behind my firewall. I am sure your comment helps if somebody wants to do that.

@GRBtutorials 5 лет назад

This doesn't have anything to do with firewalls. It's about running your own server, something you can do either locally, available only to your LAN unless you configure the NAT and have a static IP address or use a dynamic DNS service such as No-IP (free with limitations); or remotely, with a hosting provider.

@duraffourgmaud6145 3 года назад

Thank you for this tutoriel, it was just the right thing to get me started on my project. Really easy to understand ! Your channel is really a gold mine for IOT users ! I'm working with an ESP32 and an MQTT Server. I found that the way to make the connection secure with the server is close to what you show in this video, with some nice certificate. It's working quite nicely in local network, and it's in part thanks to you ! But if my ESP32 is outside the network, then I manage to reach the server (with it's public ip and some port forwarding on my box), but I can't connect to it. Did you ever had a similar problem ? It's quite mysterious : I know my certificate is ok, as is my server. But suddenly the server told me my certificate is corrupt. Almost mystifying, really.

@AndreasSpiess 3 года назад

A project I was involved (IOTappstory) had to solve this problem. But I do not know the details. I only know it was not easy :-(

@duraffourgmaud6145 3 года назад

@@AndreasSpiess Ah, I can believe it, network problem is never easy. I don't believe you've got an hint on how it was solved ?

@akj7 5 лет назад

Thanks for the tutorial. I wished i had something similar as i was handling HTTPS connections with Google to get my emails.

@AndreasSpiess 5 лет назад

I hope you were successful in the end...

@akj7 5 лет назад

Andreas Spiess, I was.

@lmamakos 5 лет назад

Very nice video. I shall do my best to share the mafia-centric description of PKI trust! I think that in my Home Automation use-case, the ESP8266 and ESP32 devices will have long-lived MQTT-over-TLS sessions established, so the impact of doing the TLS session establishment and public key cryptography won't really be that noticeable. Thanks!

@AndreasSpiess 5 лет назад

Thank you! I do not know how MQTT is implemented and I agree if they can keep the connection open you do not have a lot of overhead (other than heap memory).

@systpro4 5 лет назад

Have you programmed MQTT-over-TLS on an ESP8266 via the Arduino IDE? If so, could you please share the code for that? Thanks!

@giannifed 2 года назад

thank you sir

@AndreasSpiess 2 года назад

You are welcome!

@binershock 5 лет назад

Just today joined your patreon! - It seems like for a deployment of a device for several years or more, you must create a scheme to replaced expired certs or otherwise the old fingerprints. I guess if this is the plan, you probably have some way to update the whole "sketch" anyway.

@AndreasSpiess 5 лет назад

Thank you for your Patreon support! You are right, the certificates have to be replaced. Usually after 2020 or 2022. Maybe we will have better possibilities then and can change our sketch accordingly...

@rodstartube 5 лет назад

As always great info and great explanation, however, it would be great to know how much power and data bandwidth SSL consumes over non SSL.

@AndreasSpiess 5 лет назад

Another viewer shared his experience. I pinned the comment. Maybe you read it. The bandwidth usually is no big issue.

@duncanx99 5 лет назад

Excellent - but I'm going to need to watch it a few times to grasp the methods for implementing HTTPS...

@AndreasSpiess 5 лет назад

I also had to watch several videos to understand it. You are not alone ;-)

@KalterKrieger 5 лет назад

Hi Andreas, what 8266 core do you recommend? I use 2.4.0 because I had problems with newer ones which consume much more memory that the 2.4.0.

@AndreasSpiess 5 лет назад

I did not care too much recently and usually upgrde to the newest version. I only care about memory consumption if I do not have enough ;-)

@Pyrografpl Год назад

Thank you

@AndreasSpiess Год назад

You're welcome!

@FindLiberty 5 лет назад

APPROVED

@AndreasSpiess 5 лет назад

:-)

@PaulCavanagh69 5 лет назад

Very interesting Andreas, if we could integrate this with wifi manager that could store certificates, the link between esp8266 iot devices with sensors would be more secure.

@AndreasSpiess 5 лет назад

I think you could do that. But if the certificate is valid for a few years, you probably do not want to change it through WiFimanager.

@gte24v 5 лет назад

Ah, yes, I think I see the point - being able to change the key without programming. Perhaps that is something that could be added to IotAppStory.com for example?

@Javito379 5 лет назад

Hi, great work as always. So correct me if i am wrong, these rules out self signed certificates?

@AndreasSpiess 5 лет назад

Certificate generation is on the server side. This video focuses on the client side and assumes, the server thing is up-and-running. I also did not cover the certification of the ESP device itself as so far, I had no need for that...

@pawel753 5 лет назад

Great tutorial as always! However, I think one important step is missing here - how to get a certificate from trusted CA. As I see from your screenshots you're using LetsEncryptIt certificate, do you plan to create another video on this? Thanks!

@AndreasSpiess 5 лет назад

This video did not cover the web server part. Because of that, I did not cover the installation of certificates on the ESP. In this scenario, there was no need for creating certificates as this is done by the service providers. If I find a scenario where we need a certificate on an ESP I will cover also this aspect. So far I did not find one.

@pawel753 5 лет назад

@@AndreasSpiess Accessing ESP device web interface isn't this scenario?

@AndreasSpiess 5 лет назад

No, only connecting a web server from the ESP. Of course, the SSL theory applies to both scenarios.

@santorcuato 5 лет назад

Hi Andreas, I know that this video is 3 months old but is really difficult to follow you, and sometimes expensive, but ever fun. I have tried the example with the ESP32 and everything works fine, but if I'm not wrong, you said that the use of client.setCACert(root_ca); is mandatory. Because I'm really old but still a little rebel, I tried the same sketch without setting the root_ca, by simply comment the line. And it works and the resulting JSON is exactly the same, point that simplifies a lot the https connection. If someone want to try it, not only in the example but in real life, any comment will welcome. Thanks for all your effort and enthusiasm! Rom

@AndreasSpiess 5 лет назад

Maybe they changed the behavior of the library. As mentioned in the ESP8266 example, the certificate is not for the site, it is for you to check if you are connected to the right site. The ESP8266 always returned the string, also w/o a certificate.

@feedchequefc682 5 лет назад

Great video as always Andreas. Detailed but not boring. Very good presentation indeed. Maybe this goes outside of this video's content since we are talking about the security... how do you handle securing your keys or certificates? After all your 8266 sketch can be read by anyone therefore an attacker can also read the certificate information. Is there a way to secure the certificate or public key info written into the sketch?

@AndreasSpiess 5 лет назад

As the name implies: The public key does not need to be hidden. That was the invention. And I think, the inventors got the Nobel prize for that.

@milicsantiago 11 месяцев назад

great!

@AndreasSpiess 11 месяцев назад

Thank you!

@avejst 5 лет назад

Wow, interesting subject Thanks for sharing 👍😀

@AndreasSpiess 5 лет назад

You are welcome!

@NishantjonyJaiswal 5 лет назад

I m gonna watch this multiple times..😴😴

@AndreasSpiess 5 лет назад

Enjoy!

@assadon397 Год назад

Thank you so much. In my case, I used the root_ca to secure MQTT, specifically HiveMQ. However, I don't understand if there will be an exchange of symmetric keys or if the esp8266 will simply use this certificate to encrypt payloads to the broker.

@AndreasSpiess Год назад

I am no specialist. So I do not know the details :-(

@sorin.n 5 лет назад

I will make now requests to the server it can't refuse... :D

@AndreasSpiess 5 лет назад

:-))

@mitolsteu9274 4 года назад

Thank you for the perfect explanation. It is very useful an focuses on the important facts. Is there any possiblilty to download the SHA1 fingerprints from a server of website? It would be easy to update the fingerprints by stating the URL and getting back the SHA1 fingerprint like in the browser. So the sketch could get it once the fingerprint is expired and I would not need to update it manually.

@AndreasSpiess 4 года назад

I do not know.

@burmwout5525 4 года назад

This would not be secure, because if you would have a man in the middle, it would just provide you with the wrong fingerprint and you would not know.

@koz 5 лет назад

Another very useful video. Thank you! But I also think it's important to learn how to provide a secure https connection on the little websites *hosted* on an ESP*. All those important little web interfaces, often with username and password fields to access them, etc. - so many 192.168.*.* admin interfaces need to be secure. I see that recent updates to the ESP8266 libraries appear to contain a lot more examples for this, such as 'WiFiHTTPSServer', which also contains a script to generate a 'Self-Signed Certificate' to enable your ESP*-hosted website to run via https.

@AndreasSpiess 5 лет назад

You are right, you can also encrypt these connections. I usually do not encrypt the traffic behind my firewall and use MQTT for the connection to my ESPs . So I had no need for this scenario so far.

@danielmoraes9637 5 лет назад

thanks

@AndreasSpiess 5 лет назад

You are welcome!

@wassfila 5 лет назад

Great overview, security is a vital topic for IoT and advanced tech is nothing without such good pedagogical presentations. I wonder if it is that easy to have the esp32 as an https server ?

@AndreasSpiess 5 лет назад

I think it is possible. However, I do not use encryption behind my firewall.

@wassfila 5 лет назад

I also would not venture opening up a port for an esp32 through my double routers walls, I use a VPN for that. But the IoT is pushing with things like Thread that standardizes bridging ipv6 sensors to the internet, we'll see how IoT security will evolve.

@joshuaandresblancojerez6455 3 года назад

thank you for make my life easier hahaha

@AndreasSpiess 3 года назад

Happy to help!

@hugob5263 5 лет назад

Great explanation!! Just one dubt: Who create the symmetric key? The iot device? One of its libraries? Thanks!!!

@AndreasSpiess 5 лет назад

AFAIK public key methods do not symmetric keys

@hugob5263 5 лет назад

@@AndreasSpiess no, of course. Not public key. I'm talking about the symmetric key that iot device and server share encrypted (around 4.10 min in your video). Who generates its? Anyway, now, there is a new library/method in arduino so called BearSSL. Can you give us some explanation about?? Thanks!!!

@AndreasSpiess 5 лет назад

I assume the key is generated by the device. I am not sure I will cover BearSSL as I am no specialist here.

@suisse0a0 5 лет назад

If you don't have the ability to use https (like with my with my cheap attiny) I setup up a ssl proxy (look for tls offloading or (I think) tls termination proxy) on a PI (which is my cheap server) to handle the encryption part. Two "possibles issues" : 1) One more potential failure in the chain 2) I must trust my own network

@AndreasSpiess 5 лет назад

We used these proxies in the past and they work well. I wanted to show that we can do the same only with an ESP. Your method, of course, is still possible and can solve some issues, especially issues with resources on the ESPs

@RGPinger 5 лет назад

Andreas and what if people are using Arduino + Ethernet shield? :-) They are unable to use HTTPS.

@ralfjahns3777 5 лет назад

Not too many real projekts recently. I know, they cause much more work but I prefer them compared to all the pure educational videos. Nothing beats the reminder device. :-)

@AndreasSpiess 5 лет назад

Thanks for the reminder ;-) I try to mix the different things...

@tastenklopper3038 3 года назад

This is the first video I am watching from this channel. I want to stream my ESP32 Cam remotely. When he says "the rest of the code stays the same", what code does he mean? It looks a lot different than the example camera code.

@AndreasSpiess 3 года назад

I do not know the ESP32 cam and if it uses the http protocol :-(

@AndreasDelleske 2 года назад

Dear Andreas, since this video is already older and I am fighting with micropython on an ESP32, didn't find much in the internets: It would be fantastic if you could try HTTPS requests on micropython :) maybe even with proper certificate checking - or would you suggest CircuitPython? So far, I like Thonny a lot..

@AndreasSpiess 2 года назад

After my Toit "excursion" I will not cover higher languages for quite some time. The time is just not ripe for mainstream. At least not in this community...

@AndreasDelleske 2 года назад

@@AndreasSpiess Ah OK thanks you for your answer!

@Bigman74066 Год назад

As usual, a great video. Hoever, I did miss the part that talks about performance of the asymmetrical (handshake) part of the connection. Depending on the cypher i may take upto 3 seconds to het the connection up and running. When using mqtt this can be a mayor pain in the bottom. I would have loved to have some more info in that since it's hard to find...

@AndreasSpiess Год назад

I do not use encryption in my LAN.

@Bigman74066 Год назад

@@AndreasSpiess I don't understand. The video is about using SSL on (for example) an ESP32. An SSL connection starts with a handshake that uses asymmetrical encryption. I can be very slow especially if you reconnect every few seconds (MQTT for example). It made using MQTT over SSL nearly impossible for me. Hence my question...

@AndreasSpiess Год назад

@@Bigman74066 sorry that my answer was so short. what I wanted to say is that I use SSL to contact internet services like google. So I do not need frequent repetition. MQTT is only used for my sensors on my Wi-Fi. So the 3 seconds are not a. If Problem for me.

@Bigman74066 Год назад

@@AndreasSpiess thanks for clearifying. Maybe someday a video will pop up about performance of MQTT over SSL on an ESP32. You never know!

@RobinHilton22367 5 лет назад

Could you not update the keys using OTA updates or a form of external memory?

@korishan 5 лет назад

I was thinking the external memory, using an EEPROM. OTA of the flash might be a bit much if you needed to do it every other week just for a key. imho

@AndreasSpiess 5 лет назад

You can update the keys from the outside. But you should not forget it. Otherwise, you cannot do it anymore ;-) I like the idea of longlasting certificates more appealing, though.

@niekbeijloos8355 4 года назад

The code used in HTTPSRequest.ino for the esp8266 is it not outdated? Because I see the BearSSL library is more often used these days and AxTlS library is deprecated. Does this matter as to the safety of the connection? Please clarify, thank you!

@AndreasSpiess 4 года назад

This is an old video. BearSSL does not change the basic concept. So there should be no difference in security.

@TomaszDurlej 5 лет назад

Consider also https for esp8266/32 in server role. It's pretty easy with reverse proxy and raspberry pi and nginx for example. Some additional config is necessary for separation iot and normal sides of home network.

@AndreasSpiess 5 лет назад

So far I do not use encryption behind my firewall (for IOT devices). This video was mainly to ensure we still can use useful cloud services. But if you want to access your ESP from the outside it might be necessary... Usually, I use MQTT instead of a web server on the ESP. I find it more appropriate for the small resources of our devices. Nginx is on my video list for a long time..

@wyzedfz1495 2 года назад

I know that this is old but I was strugglin with this as I want to do my IoT devices as secure as possible, keeping in mind good practises. Since I have some others (In fact, a lot) ESP servers at home which I want to reach from the outside (All of them are HTTP with basic authentication), I think that my best shot is to build a reverse proxy with a SBC (Probably a raspi), isn't it? Whad do you think @Andreas Spiess ? Do you have any vids on this topic? Thanks in advance!

@chadreshpatel2339 2 года назад

Many webservers are hosted on cloud where single physical server host many web servers and uses SNI (Server name indication) to resolve the server name. Many small IoT controllers do not support SNI feature. Do you know whether Esp32 libraries support SNI?

@AndreasSpiess 2 года назад

No, I never had to solve this issue.

@elmoferguson 3 года назад

FYI Line 31 of Python code is different between what is shown in the video and what the actual code. I found the video version worked. On video: hexList = list(''.join(map(chr,hexData))) In code: hexList = list(''.join(hexData))

@AndreasSpiess 3 года назад

Thanks for the correction. Maybe it will help somebody in the future...

@JoaoVictor-xi7nh 2 месяца назад

OH MY GOD THIS COMMENT JUST SAVED MY ASS THANK YOU SO MUCH

@TravisHardiman 5 лет назад

Is there any disadvantage to putting the certificate.cer into the SPIFFS storage?

@AndreasSpiess 5 лет назад

I do not like SPIFFS for such a small amount of data. You have to upload it separately. The library probably takes more space than the certificate. Otherwise, you can do it.

@lomolariful 5 лет назад

Vpn might only be helpful in cases where you own the endpoint of the connection as well, if i'm not wrong. But i'm asking myself if its possible to access a local proxy server via http and let it do the heavy https stuff with the outside world?

@Steve_Coates 5 лет назад

It is but it leaves your IOT devices vulnerable to local attack, personally I don't want anyone else able to access my cameras, heating controls etc. nor do I want to leave any easy entry point into my home network. I use ssl on all my gadgets even though everything external is handled by a proxy.

@browaruspierogus2182 5 лет назад

Better and faster is built in esp encryption that can be used with udp/tcp and it is much safer and free)

@AndreasSpiess 5 лет назад

You are right. But the purpose of that video was to enable our devices to use services on the internet even if they change to HTTPS. So far, I do not encrypt behind my firewall.

@Dust599 5 лет назад

What about power usage? encryption/decryption doesn't happen for free, more power and more data usage...

@korishan 5 лет назад

Ahhhh, I didn't think about that while I was watching. Not such an issue if the device plugged into a wall socket. But if it's powered by a LiPo (or similar), that could make a huge difference

@AndreasSpiess 5 лет назад

There is a post of another viewer (Frank Hessel) which covers that aspect. I did not investigate into the connection times necessary using HTTPS vs. HTTP. HTTPS times definitively are longer. But, if our service providers change, we have no choice:-(

@hikuri3500 5 лет назад

great tutorial is there any way to do this in AP mode, do you know any tutorial, link or information about it ?, I feel lost

@AndreasSpiess 5 лет назад

Maybe here: github.com/fhessel/esp32_https_server

@Zhaymoor 5 лет назад

How do you learn all that man ,, Mashallah you are so amazing at this,, I really want to visit Swiss land to meet you ! thank you for the great content.

@AndreasSpiess 5 лет назад

It is very easy to learn stuff: Curiosity also in my age and hard work ;-)

@donpalmera 5 лет назад

IMHO TLS on platforms without even basic stuff like memory protection is maybe not totally pointless but only slightly better than it not being there at all. Especially when you have so little memory to start with and the memory pressure created by the TLS library will make it easier to create overflows etc. I say this after having implemented TLS on a Cortex M3 based product with more memory that's out in the wild in a few hundred thousand units... when I think about how many issues the industry-standard OpenSSL had/has I really don't have much hope that any of the embedded TLS libraries, which AFAIK are all based on some old BSD licensed code that was kicking around, being all that good. In most applications you'd use a microcontroller for you don't even want the privacy (encryption) bits. You mostly want to validate the source of messages. I think there are cheap i2c secure elements that can do HMAC signing and validation. That seems like a better solution IMHO. If you have an upstream service that requires HTTPS it seems to me like a gateway to that service running in the cloud would be better than trying to do it on the ESP itself.

@AndreasSpiess 5 лет назад

I am no security specialist and I just wanted to show how we can make sure that we still can use our cloud services if they only accept HTTPS connections. Maybe it is not secure, but I cannot change anything because I have no knowledge in this area. If you have to build a sellable product this is another story, AFAIK the new Arduinos use such an I2C chip. I also do not understand what the encryption blöocks in the ESP32 do and if they are used by the libraries.

@donpalmera 5 лет назад

I wasn't being negative about your video. I was being negative about the state of this stuff in IoT in general. >we still can use our cloud services if they only accept HTTPS connections. Many cloud services seem to assume you have a platform that can do TLS properly. AWS IoT for example requires TLS, device certs etc but didn't take into account that a little microcontroller based IoT thingy might not have the right time. Without the right time TLS is useless and many IoT platforms might only have a time that is within the right month and not within the right day that would be required for the very short expiry certificates AWS, Google etc want to use. There is a disconnect between the service providers and people making stuff that uses the services. >AFAIK the new Arduinos use such an I2C chip. There are a few examples of it. One of the earliest IoT platforms (electricimp) used an i2c secure element.

@AndreasSpiess 5 лет назад

At least the ESP32 example connects to NTP to get the time. Now I know, why :-) Thanks!

@fouadkhalifa520 Год назад

Hello Andreas, is adding ATECC608 chip to the circuit add any advantage ?

@AndreasSpiess Год назад

I do not know :-(

@e2Dy Год назад

Hi Andreas, have you dealt with Matter on ESP32 yet? It might be worth making a video about it. 😊 Sorry for being a little bit off-topic.

@AndreasSpiess Год назад

It is too new for me and currently has no advantage over Zigbee (or even a disadvantage). I will cover it when it has more value, I think.

@OldCurmudgeon3DP 5 лет назад

Can this work with SMTP sketches that use gmail.com? Or am I looking at this from the wrong angle? The one I found already uses port 465(I think that's it).

@AndreasSpiess 5 лет назад

You are right. This code here for example (www.instructables.com/id/ESP8266-GMail-Sender/ ) uses WifiCllientSecure.h .Port 465 is the SSL/TLS port for SMTP (mail protocol)

@berniewolf6740 5 лет назад

Nice explanation, and good info. Thanks. Have committed some $$ via Patreon I found an error message trying to convert a root cert file to .cer format using Cert to ESP8266.py. Fixed by removing the attempt to map the chr function across the hexData. ie: replaced this #hexList = list(''.join(map(chr,hexData))) with this. hexList = list(''.join(hexData))

@AndreasSpiess 5 лет назад

Thank you for your support! I am not a Python specialist and I found the script on the internet. When I used it I had no errors, if I remember right. Now your code is in the file.

@timothynjeru4998 4 года назад

Hi Bernie, how did you do this?

@ttssoon1975 4 года назад

Already tested. This should works: hexList = list(' '.join(map(chr,hexData))) The 2nd not working. Thanks!

@NicksStuff 6 месяцев назад

Would the ESP be abloe to connect to the authority certificate to download the new one (and convert it) when it's expiring in 10 years?

@AndreasSpiess 6 месяцев назад

No. You have to do it yourself.

@NicksStuff 6 месяцев назад

@@AndreasSpiess Thank you. OTA update it is, then

@markusrohner9452 4 года назад

Good video. What does "esp8266/Arduino CI has failed") mean? I get 'fd1' as a reply. The certificate verification was successful

@yashpandit832 5 лет назад

I am using he esp32 WiFiClientSecure library. But it does not have a cilent.verify function. Just to check I put a wrong root CA cert and it still connected to the server and gave html data. So, am i doing something wrong or if not then how can I verify for the esp32 that I am connected to the server I wish to be connect. Thanks in advance.

@AndreasSpiess 5 лет назад

This is strange. I thought in my examples this did not work

@ErkanOkman 5 лет назад

👍👏

@AndreasSpiess 5 лет назад

:-)

@theUsesOFnot 4 года назад

How can I connect to https when using an Arduino Nano or a Teensy for example? Or do you have to use an ESP8266 development board/MCU? I have an ESP8266 WIFI Module (ESP-01) connected to a Teensy 3.2 board, but when I compile it says "ESP8266WiFi.h cannot be found". If I change the board to "Generic ESP8266" I get an error saying "Multiple libraries were found for ESP8266WiFi.h". So confusing.

@AndreasSpiess 4 года назад

I only work with ESP boards if I need WiFi, so I do not know,.

@poweredbysergey 5 лет назад

Cool

@AndreasSpiess 5 лет назад

Thank you!

@J3zp3rs 4 года назад

Hello Andreas thank you very much for the video. Although i have a problem, when i put in the certificate and make a const char for it i get this error: no matching function for call to 'BearSSL::WiFiClientSecure::setCACert(const char*&)' please help me!

@AndreasSpiess 4 года назад

Your function is different to mine I did not use BearSSL. And I do not know how it works because I never tried it.

@narendok2115 3 года назад

Hi sir, can we know if we are doing encryption for local IP communication with a smartphone or a web browser with letsencrypt SSL, does it need internet on browser-side : like my local IP ,eg 192.168.4.1. , will be safe ? how we can securely transfer data, should be use cryptography algo etc

@AndreasSpiess 3 года назад

Unfortunately, I am no security specialist :-(

@germandkdev 5 лет назад

What about secure SSL connections with a esp only, not the www? I mean you can't create a certificate for the random esp ip etc?

@AndreasSpiess 5 лет назад

The scenario covered in this video was purely connecting an ESP to an HTTPS address. There are many more scenarios thinkable, but so far I never encountered one.

@burmwout5525 4 года назад

If you do not want to bother with manually writing a fingerprint or certificate in your sketch, there is also a framework that automatically includes all root certificates in your ESP8266 sketch. With this you can do HTTPS requests to any URL, and it will always be secure: maakbaas.com/esp8266-iot-framework/logs/https-requests/

@AndreasSpiess 4 года назад

Thank you for the link. Seems to be a good approach. Unfortunately not for the ESP32...

@MeriaDuck 5 лет назад

Do you know a way to do client authentication with these microcontrollers? That would be awesome 😀. Thanks

@AndreasSpiess 5 лет назад

So far I had no need and did not research it :-(

@s4five 5 лет назад

works with mbedtls see tls.mbed.org/kb/how-to/mbedtls-tutorial have used it with esp32 (esp-idf)

@akj7 5 лет назад

You do not need to write a programm to read that file. They are usually read with HEX Editors.

@AndreasSpiess 5 лет назад

If you have a close look they need a few characters more at the end of each line...

@sandipkumarnandi 3 года назад

Thanks for the explanation, but I tried the same way to call my https service, which is showing error code -1 with https. Any guidance would be greatly be helpful

@AndreasSpiess 3 года назад

Quite a lot changed since I made this video. So it might no more be up-to-date

@vishnuprasath4611 3 года назад

Thanks 🙏Andreas very good explaination 👍 I learned lot from this video. And is it possible to start HTTPS server in nodemcu and create our own certificate then connect it with client nodemcu with HTTPS

@AndreasSpiess 3 года назад

You cannot create certificates with an ESP8266

@vishnuprasath4611 3 года назад

@@AndreasSpiess 😀very thankyou I will try it 🙏👍👍

@SThomas1972 5 лет назад

Why not store the X.509 cert on flash or a SD card so the cert is not hard coded in the sketch so using the card so the cert is read from it and if they are changed because they they have expired.

@AndreasSpiess 5 лет назад

This is possible, of course. But if they expire in 4 years I do not care too much...

@chriswesley594 3 года назад

Hello Andreas, this was great - thank you. Hard-nosed, focus on specifics and only what is needed as usual. However, I have a couple of questions which might be answerable by you or anyone reading this. I am using ESP8266: 1. In my case, if the fingerprint is wrong the connection does not proceed - it is refused and no information is returned. So that is not an option for me. Does anyone know how to get aorun dthis? 2. Even with the certificate version, it will still stop working in a year or two, so this cannot be how embeded devices colve the problem - they would become non-fuctional when the certificate did expire. How do they do it? Many thanks Chris

@AndreasSpiess 3 года назад

There are some developments to get the replacement of certificates working. But it is not easy on MCUs. I have no solution for the moment. Maybe somebody else knows. I only know that we can deal with it with IOTAPPSTORY.

@chriswesley594 3 года назад

@@AndreasSpiess Thank you Andreas - a personal reply so fast to a comment on a video years old. You are a MACHINE, and I envy and admire your stamina. The community is vastly better wtih your contributions. Thanks agin, Chris

@akshaydasm.k9388 3 года назад

Can you please make a video on how to use encryption libraries such as wolfssl with esp32?!

@AndreasSpiess 3 года назад

I am no security specialist :-(

@CreativeJE 4 года назад

hey is there any easy way we can make https requests without any fingerprint cause we will need to update the fingerprint everytime it changes and it won't be a good idea

@AndreasSpiess 4 года назад

I am no internet security specialist, so I do not know.

@elricho72 4 года назад

Hi Andreas, thanks for sharing, I want to ask, if you have a example to make a GET and POST code on a hosting page, to send values to a file php , I have one , if you want I could send you, but today doesn't work because https secure hosting can't receive the data that I send by esp8266, thank you again

@AndreasSpiess 4 года назад

I have no such examples.

@su_charek 3 года назад

Guys, dont know how you, but I had to add "client.setInsecure();" under "WiFiClientSecure client;" line.. more here: github.com/esp8266/Arduino/issues/4826