Writing an SSL HTTPS web server ...

Posted on
  • Does anyone know if it is possible to setup an HTTP server on Espruino that listens using SSL? I.e. serves up HTTP traffic for requests that start "https" such that the content is encrypted during transport?

  • I don't believe it is at the moment. The changes shouldn't be too painful to implement (in network.c) but there's been very little call for it to date, as most people are using HTTPS when connecting to a server on the net.

    On a local network you probably have some privacy, and directly exposing some Espruino device to the internet would be suicide (IMO) as anyone malicious could send out ~100 HTTP requests per second from a single PC and swamp it.

  • The use case that I'm working on is the notion of bootstrapping network connectivity of an Espruino device. Imagine I have an Espruino device which I take with me to my friends house. He has WiFi and is willing to let me have his SSID and password. However, my Espruino has no screen or input source to allow me to enter that information so it can connect to his WiFi. So when Espruino starts, it looks at the list of found SSIDs, realizes that it doesn't know how to connect to any of them and then the Espruino becomes an access point.

    Now .. on my phone, I see the Espruino as a target table access point. I connect my phone to the Espruino and then bring up a browser (on my phone). I am presented with the list of found access points ... I select the one I want to use and enter the password. That is transmitted to the Espruino which says "thank you very much" and now stops being an access point and becomes a station.

    All good ...

    However, I am trying to think of objections folks may have to that technique (also looking for better techniques myself). One is that the password for the WiFi flows over a network to the Espruino so that it can login. I was thinking that if the browser (on the phone) made an SSL connection to Espruino, there would be an ounce more security. I don't know if WiFi traffic is already encrypted (I would guess not). In principle one could then packet sniff and see the password flowing in the clear between my browser and my Espruino. If the Espruino had HTTPS support, that issue would appear to be moot.

    Again ... so far this is all a theoretical story ... but it got me curious about what if anything in Espruino might be presented for server side SSL. I had failed to note that outbound SSL was baked into Espruino and was delighted when it "just worked".

  • As I understand it, WiFi is encrypted. WPA2 is pretty good as far as I know, but the old WEP was crackable. Can anyone confirm? I definitely haven't been too concerned about people snooping on my WPA2 WiFi connection.

    Even so, the chance of someone being able to find and crack your Wifi in the 60 seconds it's on for while you enter login details seems quite small, even if it were unencrypted. If someone cared that much about it they can still use serial :)

    Thanks to @tve's awesome work, this is actually relatively doable right now (I tried at the weekend with a Sonoff and was really impressed with how neat it was).

    • Flash totally standard current firmware to ESP8266
    • Start up ESP8266 - it creates its own access point called ESP_XYZX (where XYZX is part of the MAC address I guess)
    • You connect, telnet in, and send the JS commands to connect to a Wifi network and save
    • Disconnect, reconnect over your proper Wifi network just by typing ESP_XYZX as the hostname, and turn off the AP
    • Job done.

    All that's missing is the HTTP server. I'd love to use Espruino's built in server (rather than making another) and to push Websockets into C code. It could then serve up the whole Web IDE for really easy programming.

    The only real issue there is that the built-in webserver uses JsVars for memory, so it's not totally independent of the code (for instance if it ran out of memory, chances are the web interface would go down).

    As a simple hack, how about:

    • Out of the box, Espruino on Wifi boards loads up some built-in JS code that starts an HTTP server for setting up Wifi.
    • As soon as new code is saved, that JS code stops being loaded

    So now you get to connect with a nice web interface, but the second you've successfully connected with the Web IDE and uploaded code, the HTTP server disappears.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Writing an SSL HTTPS web server ...

Posted by Avatar for Kolban @Kolban

Actions