Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not allow access to cleartext credentials from network #3216

Open
schlamar opened this issue Sep 1, 2024 · 4 comments
Open

Do not allow access to cleartext credentials from network #3216

schlamar opened this issue Sep 1, 2024 · 4 comments
Labels
won't do Out of scope for this project

Comments

@schlamar
Copy link

schlamar commented Sep 1, 2024

Issue

Modern IT security is all about layered security. Make each boundary of every application / device as robust as possible. One of the important paradigms is always assume there is an attacker in the network.

One worst case scenario in this context is getting access to credentials (Wifi, MQTT, ...) via an unauthorized network communication.

So I'm not talking about preventing credential leak by physical access as discussed in #2886.

It is OK to store them cleartext on the device. But you should never ever make them readable from the web application or from any other network access.
@caco3
Copy link
Collaborator

caco3 commented Sep 1, 2024

I agree that it is not good practice. How ever @jomjol (the core dev) once decided he does not want to have the responsibility to protect the device (see eg. #2886). There are several reasons for this. One is the extra work for the devs and the skills that are needed to make it really right and save. An other reason is the lack of CPU resource for this. The ESP simply is very limited and we already are on our limits RAM wise.

@caco3 caco3 added the won't do Out of scope for this project label Sep 1, 2024
@schlamar
Copy link
Author

schlamar commented Sep 2, 2024
edited
Loading

I have seen #2886. Please note this is a fundamentally different use case.

The other issue is talking about protecting against physical access. This would require some sort of encryption. Though a sophisticated attacker would still be able to extract encryption key and decrypt the credentials. This would mean a lot of complexity for minimal benefit. I understand that this is out of scope for this project.

The issue I'm talking about is quite the opposite. This would be trivially to solve for a huge benefit regarding IT security.

A solution would be straightforward by making credential config fields and files containing credentials write only. So you can edit them as it used to be but you cannot read them.

This is how any other web application I know of handles this sort of credential configuration.

@schlamar
Copy link
Author

schlamar commented Sep 2, 2024

Screenshot_20240902_194038_Chrome

Example how this looks in Tasmota.

@caco3
Copy link
Collaborator

caco3 commented Sep 2, 2024

files containing credentials write only

Yes, I think that is the only feasable way unless we restrict the access to the UI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
won't do Out of scope for this project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@schlamar @caco3