ssl

16 Articles

Wireshark HTTPS Decryption

March 22, 2022 by 48 Comments

If you’ve done any network programming or hacking, you’ve probably used Wireshark. If you haven’t, then you certainly should. Wireshark lets you capture and analyze data flowing over a network — think of it as an oscilloscope for network traffic. However, by design, HTTPS traffic doesn’t give up its contents. Sure, you can see the packets, but you can’t read them — that’s one of the purposes of HTTPS is to prevent people snooping on your traffic from reading your data. But what if you are debugging your own code? You know what is supposed to be in the packet, but things aren’t working for some reason. Can you decrypt your own HTTPS traffic? The answer is yes and [rl1987] shows you how.

Don’t worry, though. This doesn’t let you snoop on anyone’s information. You need to share a key between the target browser or application and Wireshark. The method depends on the target applications like a browser writing out information about its keys. Chrome, Firefox, and other software that uses NSS/OpenSSL libraries will recognize an SSLKEYLOGFILE environment variable that will cause them to produce the correct output to a file you specify.

How you set this depends on your operating system, and that’s the bulk of the post is describing how to get the environment variable set on different operating systems. Wireshark understands the file created, so if you point it to the same file you are in business.

Of course, this also lets you creep on data the browser and plugins are sending which could be a good thing if you want to know what Google, Apple, or whoever is sending back to their home base using encrypted traffic.

Wireshark and helpers can do lots of things, even Bluetooth. If you just need to replay network data and not necessarily analyze it, you can do that, too.

ESP32 board with battery and nearby antenna

How To Easily Set Up Secure OTA Firmware Updates On ESP32

November 29, 2021 by 12 Comments

After an electronic IoT device has been deployed into the world, it may be necessary to reprogram or update it. But if physical access to the device (or devices) is troublesome or no longer possible, that’s a problem.

OTA updates allow a device to download new firmware, install it, and reboot itself into the new version. Convenient? Yes. Secure? It definitely needs to be.

Fortunately, over-the-air (OTA) firmware updates are a thing, allowing embedded devices to be reprogrammed over their wireless data connection instead of with a physical hardware device. Security is of course a concern, and thankfully [Refik] explains how to set up a basic framework so that ESP32 OTA updates can happen securely, allowing one to deploy devices and still push OTA updates in confidence.

[Refik] begins by setting up a web server using Ubuntu Linux, and sets up HTTPS using a free SSL certificate from Let’s Encrypt, but a self-signed SSL certificate is also an option. Once that is done, the necessary fundamentals are in place to support deploying OTA updates in a secure manner. A bit more configuration, and the rest is up to the IoT devices themselves. [Refik] explains how to set things up using the esp32FOTA library, but we’ve also seen other ways to make OTA simple to use.

You can watch a simple secure OTA firmware update happen in the video, embedded below. There are a lot of different pieces working together, so [Refik] also provides a second video for those viewers who prefer a walkthrough to help make everything clear. Watch them both, after the break.

Continue reading “How To Easily Set Up Secure OTA Firmware Updates On ESP32”

Let’s Encrypt Will Stop Working For Older Android Devices

December 1, 2020 by 20 Comments

Let’s Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.

Hundreds of millions of sites rely on Let’s Encrypt for their HTTPS certificate needs. HTTPS security helps protect sites and users, and makes it harder for malicious actors to steal private information.

The project has just announced that, come September 1, 2021, some older software will stop trusting their certificates. Let’s look at why this has come to pass, and what it means going forward.

Certificates Expire

When Let’s Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let’s Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. This certificate had been around much longer, and was already supported by the vast majority of OSes and browsers in regular use. This allowed Let’s Encrypt to hit the ground running while they waited for the majority of software to support their own root certificate. Continue reading “Let’s Encrypt Will Stop Working For Older Android Devices”

Ask Hackaday: What Can Be Done With Your Bootlooping Blu-Ray?

June 26, 2020 by 159 Comments

Last Friday, thousands of owners of Samsung Blu Ray players found that their home entertainment devices would no longer boot up. While devices getting stuck in a power-cycling loop is not uncommon, this case stands out as it affected a huge range of devices all at the same time. Samsung’s support forum paints a bleak picture, with one thread on the issue stretching to 177 pages in just a week.

So what is going on, and what can be done to fix the problem? There’s a lot of conflicting information on that. Some people’s gear has started working again, others have not and there are reports of customers being told to seek in-person repair service. Let’s dive in with some wild speculation on the problem and circle back by commiserating about the woes of web-connected appliances.

Continue reading “Ask Hackaday: What Can Be Done With Your Bootlooping Blu-Ray?”

HTTPS For The Internet Of Things

October 21, 2018 by 42 Comments

Every day, we’re connecting more and more devices over the internet. No longer does a household have a single connected computer — there are smartphones, tablets, HVAC systems, deadbolts — you name it, it’s been connected. As the Internet of Things proliferates, it has become readily apparent that security is an issue in this space. [Andreas Spiess] has been working on this very problem, by bringing HTTPS to the ESP8266 and ESP32. 

Being the most popular platform for IOT devices, it makes sense to start with the ESP devices when improving security. In his video, [Andreas] starts at the beginning, covering the basics of SSL, before branching out into how to use these embedded systems with secure cloud services, and the memory requirements to do so. [Andreas] has made the code available on GitHub so it can be readily included in your own projects.

Obviously implementing increased security isn’t free; there’s a cost in terms of processing power, memory, and code complexity. However, such steps are crucial if IOT devices are to become trusted in wider society. A malfunctioning tweeting coffee pot is one thing, but being locked out of your house is another one entirely.

We’ve seen other takes on ESP8266 security before, too. Expect more to come as this field continues to expand.

[Thanks to Baldpower for the tip!]

Chris Conlon: Device Security 101

December 14, 2016 by 10 Comments

We all wring our hands over the security (or lack thereof!) of our myriad smart devices. If you haven’t had your home network hacked through your toaster, or baby cam, you’re missing out on the zeitgeist. But it doesn’t have to be this way — smart devices can be designed with security in mind, and [Chris Conlon] came to Pasadena to give us a talk on the basics.

He starts off the talk with three broad conceptual realms of data security: data in transit, data at rest on the device, and the firmware and how it’s updated. A common thread underlying all of this is cryptography, and he devotes the last section of his  talk to getting that right. So if you’d like a whirlwind tour of device security, watch on!

Continue reading “Chris Conlon: Device Security 101”

Anti-Hack: Free Automated SSL Certificates

March 20, 2016 by 56 Comments

You want to put your credit card number into a web site. You know to look for a secure web site. But what does that really prove? And now that so many electronic projects have Web servers (ok, I’ll say it… the Internet of Things), do you need to secure your web server?

There was a time when getting a secure certificate (at least one that was meaningful) cost a pretty penny. However, a new initiative backed by some major players (like Cisco, Google, Mozilla, and many others) wants to give you a free SSL certificate. One reason they can afford to do this is they have automated the verification process so the cost to provide a certificate is very low.

Continue reading “Anti-Hack: Free Automated SSL Certificates”