Is it safe to use HTTP when obtaining WiFi creds from user?
-
garyholiday
- Posts: 2
- Joined: Tue Apr 26, 2022 2:28 pm
Is it safe to use HTTP when obtaining WiFi creds from user?
I have an ESP32 running as an access point that has no connection to the internet. It also has a simple http server that accepts only a POST request for WiFi data. A user uses their mobile phone to connect to the AP and then sends an HTTP POST request that contains the wifi name and password. My concern is, this request is over just HTTP not HTTPS, is this a security issue? Technically I'm sending sensitive data, however, the AP is set to only accept one connection at a time. Is there somehow a possibility of a middle man attack or some other issue I'm not seeing?
Re: Is it safe to use HTTP when obtaining WiFi creds from user?
So anyone with a WiFi device can just connect and ask for credentials?
If so, yes, that's an issue.
HTTP/HTTPS makes no difference if anyone can ask for credentials.
If so, yes, that's an issue.
HTTP/HTTPS makes no difference if anyone can ask for credentials.
Re: Is it safe to use HTTP when obtaining WiFi creds from user?
It seems acceptable within reason:
- even though the TCP connection is not TLS protected you still have encryption of the physical layer provided by WPA2
- enabling TLS will be confusing to most users because you can't provide valid server certificates to each ESP32 device. Arguably this detracts from security because you're conditioning users to ignore invalid cert warnings (vs. ignoring "unencrypted connection" connection warnings ¯\_ (ツ)_/¯ )
- traffic can't be sniffed easily, since you are the only connected party
- I assume you require physical interaction with the ESP device to activate the access point?
- corz's caveat applies only if you are using and unprotected WiFi network, but since you say you are changing the WiFi password I assume this is not the case
- technically you are mixing authentication and authorization which is generally considered problematic, and you may want to differentiate admins who can change the password and users of the device in future ...
Rationale: this is how most home routers handle this scenario, though they might require an additional administrative password.
I hope it's obvious that this advice is limited to devices requiring security from casual attackers and wouldn't apply to devices requiring e.g. HIPAA or PCI certification if only for the lack of differentiating authentication and authorization.
It's possible that even if only a single device can connect to the wifi, a previously connected device may be able to reuse some of the keying material, or compromise the ESP in any number of other ways. Also, allowing only a single device to connect definitely opens you to denial of service attacks. As well as certainly a number of further problems I'm not aware of
- even though the TCP connection is not TLS protected you still have encryption of the physical layer provided by WPA2
- enabling TLS will be confusing to most users because you can't provide valid server certificates to each ESP32 device. Arguably this detracts from security because you're conditioning users to ignore invalid cert warnings (vs. ignoring "unencrypted connection" connection warnings ¯\_ (ツ)_/¯ )
- traffic can't be sniffed easily, since you are the only connected party
- I assume you require physical interaction with the ESP device to activate the access point?
- corz's caveat applies only if you are using and unprotected WiFi network, but since you say you are changing the WiFi password I assume this is not the case
- technically you are mixing authentication and authorization which is generally considered problematic, and you may want to differentiate admins who can change the password and users of the device in future ...
Rationale: this is how most home routers handle this scenario, though they might require an additional administrative password.
I hope it's obvious that this advice is limited to devices requiring security from casual attackers and wouldn't apply to devices requiring e.g. HIPAA or PCI certification if only for the lack of differentiating authentication and authorization.
It's possible that even if only a single device can connect to the wifi, a previously connected device may be able to reuse some of the keying material, or compromise the ESP in any number of other ways. Also, allowing only a single device to connect definitely opens you to denial of service attacks. As well as certainly a number of further problems I'm not aware of
Who is online
Users browsing this forum: axellin, Google [Bot] and 56 guests