nerves_firmware_http icon indicating copy to clipboard operation
nerves_firmware_http copied to clipboard
verified publisher icon ghitchens

What about SSL and proper auth ?

Open xadhoom opened this issue 8 years ago • 1 comments

This is mainly a suggestion, as I'm looking at the (very interesting) project.

In these days where IoT vulnerabilities are causing much headaches, why not add SSL and at least username/password auth? Adding SSL cert auth can be a plus.

Maybe the SSL cert can be deployed withing the firmware itself (or leave to the implementer to find a way to add it to the system) in order to be updated.

Just a suggestion for a future improvement :)

xadhoom avatar May 23 '17 13:05 xadhoom

There's some code in the auth branch that does this. I'm not sure what its status is right now.

Also, you're completely right about security. I wouldn't use this outside of development. Having said that, some risk can be mitigated by signing the firmware update files and having them validated. This workflow isn't done by default in Nerves, though.

fhunleth avatar May 24 '17 12:05 fhunleth