HTTPS for the Internet of Things

Every day, we’re connecting more and more devices over the internet. No longer does a household have a single connected computer — there are smartphones, tablets, HVAC systems, deadbolts — you name it, it’s been connected. As the Internet of Things proliferates, it has become readily apparent that security is an issue in this space. [Andreas Spiess] has been working on this very problem, by bringing HTTPS to the ESP8266 and ESP32. 

Being the most popular platform for IOT devices, it makes sense to start with the ESP devices when improving security. In his video, [Andreas] starts at the beginning, covering the basics of SSL, before branching out into how to use these embedded systems with secure cloud services, and the memory requirements to do so. [Andreas] has made the code available on GitHub so it can be readily included in your own projects.

Obviously implementing increased security isn’t free; there’s a cost in terms of processing power, memory, and code complexity. However, such steps are crucial if IOT devices are to become trusted in wider society. A malfunctioning tweeting coffee pot is one thing, but being locked out of your house is another one entirely.

We’ve seen other takes on ESP8266 security before, too. Expect more to come as this field continues to expand.

[Thanks to Baldpower for the tip!]

36 thoughts on “HTTPS for the Internet of Things

        1. Thats what I found.

          There is no new code (apart from perhaps the python code to convert a cert file to the cert format hex that the examples use, and he may have got that code from somewhere else and re-purposed it)

  1. “However, such steps are crucial if IOT devices are to become trusted in wider society.”
    I’m not sure if I agree. Connection to IoT devices should be encrypted, but why use inefficient http/https instead of some dedicated protocols?

    1. “but why use inefficient http/https instead of some dedicated protocols?”

      Uh, for the vast majority of standard tcp based web traffic, TLS is the standard… What are you suggesting? tcpcrypt??

      If I’m running an IOT device that’s hosting a web-app, it should be using TLS…

      1. The Web is predominantly REST-based, and using a dedicated/legacy protocol just adds to semantic complexity.

        Yes, transport layer security is required. No, that does not imply HTTPS is the solution. You can use a standardised protocol specifically developed in the IETF for constrained IoT devices, called CoAP, which is REST-based, and can run over UDP (and DTLS) or TCP (and TLS).

        1. Most people using the ESPs (or IOT things in general) tend to use MQTT over TLS sockets, the underlying protocol is small and you have better guarantee of delivery. There are a bunch of libraries and functionality provided without jumping through hoops. If you wanted to setup COAP on something like AWS IOT to stream data over DTLS the path for that isn’t exactly clear, and some desired COAP functionality may not even be capable on ESP at the moment (

    1. IoT is ok as long as you know what you’re doing.
      Well… but perhaps we should need an amateur IoT license to be allowed to do IoST without the S…
      As always: Ask “Cui bono?”!

    2. I can think of plenty of cases where IoT is good:

      1. Door locks – I can now granularly control who has access to my house. I can set up unique passwords for each person, or take data from other sources to allow remote entry.

      2. Various sensors – these can gather basic data ranging from temp probes in rooms and refridgerator/freezer, PIR devices for occupancy, door/window open sensors, cameras, and more. These don’t inherently *do* something but provide ‘senses’ to deciding algorithms.

      3. Servos and Motors – with mechanical stuffs available, actions can be done on a script or based upon input from sensors.

      What can you do with these things? I can walk in a room, and the lights gently turn on. There’s a camera doing basic item recognition, and can tell its me, so the lights turn to the colors I like. It sees me with a laptop and then lowers the lights to what I’ve had it before.

      I close the laptop, and watch a movie on the tv. I like drinking wine during a movie, so it establishes a connection with a delivery driver for alcohol (legal where I live). 15 minutes later, the delivery driver gets here and I provide ID. It was already paid for.

      I start feeling warm, and want the temp to turn down some. So I say “Computer, turn down temperature to 65f”, and it does so. It notes that the front door was open, so temp regulation is not ideal, since it’s a lot colder outside.

      The problem with IoT like this, is its NOT simple to connect these together for your benefit. Right now, the sensors and actuators are tied to specific devices and to other peoples’ corporate clouds. In effect, *they* control your hardware, not yourself. Look at Nest, Yale locks, Alexa, and plenty others. Your data is whisked away, and you have no understanding or control of what happens.

      That’s why I created this: . It uses a cloud, of only your devices. I started from a basis of “My hardware, using protocols I can use, glued together with open source, along with Tor for cloud computing”. The only thing I use that isn’t mine is the internet, and Tor. Everything else is open sourced, down to the gerbers.

      1. Good idea!
        There is way too much reliance on “The Cloud”, particularly as the cloud in question belongs to someone else.
        I do like the idea of a local cloud, with remote access via an secure VPN or something like that.

    3. I agree with @some guy, most IoT is just a way of generating data to the company (often they give the service free as long as you sign your privacy away).

      I don’t want most of my IoT to head out to the internet and back, I want it to stay in my home. Sadly I won’t be generating enough data to use AI/ML to do something useful in my home but I also won’t be marketing chips that the some company owns.

  2. I’d recommend HPKP. HSTS and strong cipher suites and blocking old versions of TLS doesn’t protect you from public hacking tools.. That’s all if a vulnerability doesn’t get published too..

    1. Disabling old versions of TLS does protect you if the hacking tool exploits a vulnerability in an older version of TLS… I get what you’re saying though, and implementation vulnerabilities will always be a thing.

      HPKP is good. Perhaps even more importantly, not accepting that all CAs some hooligans at google or mozilla decided to put in your trust store should actually stay there is a good thing.

  3. I find this post quite misleading, specifically

    “[Andreas Spiess] has been working on this very problem, by bringing HTTPS to the ESP8266 and ESP32. ”

    I love Andreas’ videos and posts, but he had not brought HTTPS to ESP8266 or ESP32

    The code for HTTPS has been in the Arduino core for the the ESP32 and the ESP8266 for some time, and was not written by Andreas

    Looking in github,

    It shows that that WifiSecure was …

    “copercini authored and me-no-dev committed on Feb 11, 2017”

    Andrea’s python code just converts the cert file to the text format needed for the Arduino example.

    1. It is probably closer to September 2015 that SSL was added for ESP8266 by igrr (Ivan Grokhotkov):

      I didn’t watch the whole video, I’m curious if he mentions the ESP8266 likely lacks enough memory to handle modern day sized asymmetric keys. But yeah, this guy didn’t do much to bring HTTPS to the ESP8226 and ESP32 other than make a video, sort of detracts from the real work work that devs have been doing for over three years now.

    2. Roger, you saw the video. I never said I invented anything. I just wanted to explain https that it can be used by others. My main goal was to still be able to access cloud services when they do no more accept http connections. I had no plans to save the world ,-)

  4. One other thing I’d like to see, data signing. I have a board, an ESP8266 IR transceiver, that signs the data. It adds a small chip (looks like an smt transistor) that you can use to create the signature. It ups the layer of trust a bit further.

    While I’d like to think that what I’m sending is of little value to someone else it seems to be enough that big companies want to sell me their IoT cloud service. I’m not really sure what they are doing with the data and that worries me.

  5. That’s sounds great anything that has to do with, making your own things on or about you and what you do keeping it yours am all in and down for it sounds great sounds more then great actually can’t wait to try it out, thanks for the insight and heads up Lt me know when is up and ready shoot it to me if possible, thanks Be Safe and God Bless …… Nathan Trujillo ………

  6. I hope he works too on the https for the esp8266/32 webserver!

    When you make a PWA (progressive web app) and you want to send requests directly to an ESP, you can not because browsers block ‘mixed content’ (HTTPS of your PWA but HTTP for your device).

    It’s sad for some simple projects.

    1. Have you found a solution? I want to do the same think use pwa that calls directly my intranet esp8266!
      Now there is a bearSSL implementation on esp, but is still not easy to manage with certificate expiring.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.