#232 How to secure our devices using SSL (ESP8266, ESP32, Tutorial)

Comparing the CAs to the Mafia was absolutely great! :)

zvpunry

One or two years ago I saw a series of your videos that I really liked. These days I spend hours learning from your videos. The explanations are among the best I have heard in my entire life, the format and presentation are excellent. You are a very good communicator, the speech is clear, precise and summarized. I also like your humor and comments, it makes the content lighter. Sincerely grateful for sharing your knowledge in this way and working so hard to make these super lessons.

alejandrov

Even though I already know most of the SSL details and almost skipped forward, I'm glad I didn't because you explain things very nicely. So well that even after reading about HTTPS from 3-5 different sources, it finally clicks when you explain it. You should teach professionally :-)

ch

This is a great intro into SSL for anyone new to the subject, I do alot of conversions myself as I use ( mostly dreaded ) KeyStore/TrustStore in Java and have to provide the chains as you describe in the browser. I would just add that anyone venturing into this territory ( even under windows ) to familiarize yourself with the openssl command and its syntax, just be aware that I have found some quirks with windows that the only work around I found was to move all the required files to a linux system ( VM ) and finish up there.

I to use letsencrypt using the certbot engine to roll my keys when they expire automatically ( In my home ), super slick and easy to get up and going once you understand the basic principles.

Great video as always.

sethrd

Fantastic!

I had used public/private key encryption for years, both as a user and a programmer, without really understanding how it works; I only thought I did. You explained it simply, and in a way I will never forget, before minute five in this video.

Bravo, sir!

altosack

This is something at everyone should be thinking about before any communications take place!

northshorepx

Excellent. Thank you for making a complex subject accessible. Wouldn't it be nice if we didn't have to do this but unfortunately there are always some people who will try to cheat.

asiw

When I first started reading about the ESP8266 when it came out, one of the first things I thought was "ok, but what about encryption?" and was surprised at how hard it was, and how uncommon. Today's IoT infrastructure is pretty unsafe.

I think the best model right now is to use SBCs as central hubs to microcontrollers, since even the cheapest $10 SBCs can do HTTPS just fine. Sometimes, even the work of microcontrollers can be done by the SBC, especially when it isn't timing-critical. Plus you can then code logic as scripts rather than C.

Microcontrollers shine when low-power and real-time processing is required, but the difficulty to make them secure must not be ignored. It's always good to assume that these devices aren't safe and consider the implications. "What could a hacker do with this?" For things like lamp colors, air conditioner automation, motorized blinds, homemade weather stations, etc - then even HTTP is good enough.

..

I had just about given up on this, but this got me on the right track! Thank you!

velox__

In the esp8266 versions you have "connect(); verify(); connect(); send()", you can leave the second connect() out. Good to see the esp getting better at tls encryption!(when i researched the cert method wasn't available yet)

geralde.

Some notes:
- If you are running the server (for example when communicating between an esp32 and your PC) you can also create your own certificate authority and make your client esp32 trust that CA. Usually referred to as "self signed" certificates. Same security, less Mafia :)
- For validation via fingerprints you can also use the fingerprint of the certificate authority (or any other point in the chain). Not sure if that's easily available with WifiClientSecure (my esp32 is still in the mail)
- Supporting more cipher suites may actually be bad, as an attacker can remove secure ciphers from that list via a downgrade attack. Therefore you might end up using an insecure cipher.

If you control the server, other options may actually be better for performance. For example you could avoid the asymmetric crypto part by supplying your device with a static symmetric key once. If you only care about integrity (no one else may edit the data) and not about confidentiality (no one else may see the data) just signing the data is enough.

Not sure how much of those is exposed in easy to use libraries for the esp32, but since it can do https, both ideas should be fairly easy to achieve.

sbx

This is extremely informative, thank you very much.

SolarWebsite

Thanks Andreas, perfect, all boiled down to what we need to know.... Feel confident to get it done in my own sketches now....

tonybell

Great video and an excellent tutorial on security which usually doens't get too much attention.

PhG

thanks alot. i can now explain with confidence if someone asks me instead of blabbering on. Couldnt find any easy explanation/comparison elsewhere.

UMERLEO

That "guy with a Swiss accent" sure is smart! Thanks Andreas another great lesson :)

freeelectron

Excellent video, thank you. I loved the Mafia parallel, "is he a friend of yours, or is he a friend of *ours*?" as a colleague used to say at work a few years ago. This is something I have been meaning to do for quite some time and your explanation made it even simpler. :-)

gtev

Thank you Andreas, great explanation. Loved the Mafia comparison.

geros

thanks lot.... my smart home system with telegram bot stopped working few days ago due to this issue.... i didn't found any documents or tutorial to understand but now i think i can make it work again... thanks a lot 🙂

BreakingBytes

Great practical tutorial, thanks a lot!

michelebernasconi