<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">Am 07.04.2018 um 09:34 schrieb Mark
Webb-Johnson:<br>
</div>
<blockquote type="cite"
cite="mid:B567B1A8-ED6F-4E0C-8E11-52A61F235439@webb-johnson.net">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="">
<blockquote type="cite" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">support for
HTTPS will help but not be a 100% protection against MITM
attacks.<br class="">
</div>
</blockquote>
<br class="">
</div>
<div class="">Why not? I think it should protect MITM ok - but
certainly doesn’t address issues at the server end. Using SSL
certificate verification, the client can verify the server
certificate, and the encrypted SSL link should be sufficient to
protect against tampering. But, no idea how good the ESP32 SSL
library is for server certificate verification.</div>
</blockquote>
<br>
The main attack vector besides compromising the server itself is (of
course) the CA system. If you're in control of a CA key, you can
create whatever certificate you need. There are currently about 1500
"trusted" CAs, any of them can possibly be used to produce fake
certificates right now. even (or especially?) the large ones.<br>
<br>
<a class="moz-txt-link-freetext" href="https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates">https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates</a><br>
<br>
<a class="moz-txt-link-freetext" href="https://security.stackexchange.com/questions/42406/how-to-detect-the-nsa-mitm-attack-on-ssl">https://security.stackexchange.com/questions/42406/how-to-detect-the-nsa-mitm-attack-on-ssl</a><br>
<br>
<br>
<blockquote type="cite"
cite="mid:B567B1A8-ED6F-4E0C-8E11-52A61F235439@webb-johnson.net">
<div class="">
<blockquote type="cite" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">So we could
store the public key in the firmware instead and use that to
verify all downloads & uploads. That way, anyone can
create his/her own key pair to use for personal builds.<br
class="">
Installing a firmware with another key would still be
possible by flashing via USB or SD.<br class="">
</div>
</blockquote>
<br class="">
</div>
<div class="">Can you elaborate how you suggest this would be
done? During OTA download, I guess (as otherwise this would
require boot loader work)?</div>
</blockquote>
<br>
Yes, I would check the firmware signature after download/upload and
invalidate the file/partition if it doesn't match.<br>
<br>
Regards,<br>
Michael<br>
<br>
<br>
<blockquote type="cite"
cite="mid:B567B1A8-ED6F-4E0C-8E11-52A61F235439@webb-johnson.net">
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 7 Apr 2018, at 3:21 PM, Michael Balzer <<a
href="mailto:dexter@expeedo.de" class=""
moz-do-not-send="true">dexter@expeedo.de</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""> Mark,<br
class="">
<br class="">
support for HTTPS will help but not be a 100% protection
against MITM attacks.<br class="">
<br class="">
Regarding code signing, I think we don't need the ESP32
chip level protection, the primary concern is malicious
downloads / uploads.<br class="">
<br class="">
So we could store the public key in the firmware instead
and use that to verify all downloads & uploads. That
way, anyone can create his/her own key pair to use for
personal builds.<br class="">
<br class="">
Installing a firmware with another key would still be
possible by flashing via USB or SD.<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Am 07.04.2018 um 08:03
schrieb Mark Webb-Johnson:<br class="">
</div>
<blockquote type="cite"
cite="mid:35291E22-7601-4450-BD2A-844EC1EB0ACE@webb-johnson.net"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
Not at the moment.
<div class=""><br class="">
</div>
<div class="">From my understanding, there are two ways
to do this (not mutually exclusive):</div>
<div class=""><br class="">
</div>
<div class="">
<ol class="MailOutline">
<li class="">Signed firmware<br class="">
<br class="">
This is the most comprehensive way. It involved a
public key stored on the OVMS module itself
(burned into e-fuses), and a private key used to
sign binaries. The boot loader will then refuse to
load any App who’s signature doesn’t match. Works
with flash encryption as well.<br class="">
<br class="">
The problem with this is it conflicts with the
nature of open source. Once an ESP32 chip is put
in that mode, it will only execute code signed
with that private key. We can’t make that public
(without destroying the entire security).<br
class="">
<br class="">
</li>
<li class="">HTTPS<br class="">
<br class="">
This at least provides some protection. We can
validate the SSL certificate of the server (<a
href="http://api.openvehicles.com/" class=""
moz-do-not-send="true">api.openvehicles.com</a>)
and protect somewhat from man-in-the-middle
attacks.<br class="">
<br class="">
It doesn’t protect against other side-load attacks
(such as SD CARD firmware load) - but those
require physical access which is pretty much game
over anyway, right?</li>
</ol>
</div>
<div class=""><br class="">
</div>
<div class="">I would like to do #2, and made allowance
for that with ‘ota flash http’ leaving room for ‘ota
flash https’. Just our http client library is pretty
crappy at the moment, and it will take some effort to
make it support https.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 6 Apr 2018, at 10:57 PM, Tom
Saxton <<a href="mailto:tom@idleloop.com"
class="" moz-do-not-send="true">tom@idleloop.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="WordSection1" style="page:
WordSection1; font-family: Helvetica;
font-size: 18px; font-style: normal;
font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
<div style="margin: 0in 0in 0.0001pt;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span
style="font-size: 12pt;" class="">I don’t
have the full context for this discussion,
but I’m wondering: is the OTA update
mechanism protected against a
man-in-the-middle attack?<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span
style="font-size: 12pt;" class=""><o:p
class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span
style="font-size: 12pt;" class=""> Tom<o:p
class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span
style="font-size: 12pt;" class=""><o:p
class=""> </o:p></span></div>
<div style="border-style: solid none none;
border-top-width: 1pt; border-top-color:
rgb(181, 196, 223); padding: 3pt 0in 0in;"
class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><b class=""><span
style="font-size: 12pt;" class="">From:<span
class="Apple-converted-space"> </span></span></b><span
style="font-size: 12pt;" class="">OvmsDev
<<a
href="mailto:ovmsdev-bounces@lists.openvehicles.com"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">ovmsdev-bounces@lists.openvehicles.com</a>>
on behalf of Mark Webb-Johnson <<a
href="mailto:mark@webb-johnson.net"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">mark@webb-johnson.net</a>><br
class="">
<b class="">Reply-To:<span
class="Apple-converted-space"> </span></b>OVMS
Developers <<a
href="mailto:ovmsdev@lists.openvehicles.com"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">ovmsdev@lists.openvehicles.com</a>><br
class="">
<b class="">Date:<span
class="Apple-converted-space"> </span></b>Wednesday,
April 4, 2018 at 11:51 PM<br class="">
<b class="">To:<span
class="Apple-converted-space"> </span></b>OVMS
Developers <<a
href="mailto:ovmsdev@lists.openvehicles.com"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">ovmsdev@lists.openvehicles.com</a>><br
class="">
<b class="">Subject:<span
class="Apple-converted-space"> </span></b>Re:
[Ovmsdev] OTA status check timeout / SSL
problem?<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><o:p class=""> </o:p></div>
</div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><a
name="_MailOriginalBody" class=""
moz-do-not-send="true">I think it was a
fault on the<span
class="Apple-converted-space"> </span></a><a
href="http://api.openvehicles.com/"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true"><span class="">api.openvehicles.com</span><span
class=""></span></a><span class=""> config
- that shouldn’t be redirecting to https.<o:p
class=""></o:p></span></div>
<div class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span class=""><o:p
class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span class="">I
fixed it, and it should be ok now.<o:p
class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span class=""><o:p
class=""> </o:p></span></div>
</div>
<div class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span class="">Regards,
Mark.<o:p class=""></o:p></span></div>
</div>
<div class="">
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span class=""><o:p
class=""> </o:p></span></div>
<div class="">
<div class="">
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt;" class=""
type="cite">
<div class="">
<div style="margin: 0in 0in 0.0001pt
0.5in; font-size: 11pt;
font-family: Calibri, sans-serif;"
class=""><span class="">On 5 Apr
2018, at 12:44 AM, Michael
Balzer <</span><a
href="mailto:dexter@expeedo.de"
style="color: purple;
text-decoration: underline;"
class="" moz-do-not-send="true"><span
class="">dexter@expeedo.de</span><span
class=""></span></a><span
class="">> wrote:<o:p
class=""></o:p></span></div>
</div>
<div style="margin: 0in 0in 0.0001pt
0.5in; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span
class=""><o:p class=""> </o:p></span></div>
<div class="">
<div class="">
<div style="margin: 0in 0in
0.0001pt 0.5in; font-size: 11pt;
font-family: Calibri,
sans-serif;" class=""><span
class="">Mark,<br class="">
<br class="">
the server check for an OTA
update now fails every time,
times out after 10 seconds.<br
class="">
<br class="">
I think that's because the new
server currently does a
redirect from http to https
also on the<span
class="Apple-converted-space"> </span></span><a
href="http://api.openvehicles.com/" style="color: purple;
text-decoration: underline;"
class=""
moz-do-not-send="true"><span
class="">api.openvehicles.com</span><span
class=""></span></a><span
class=""><span
class="Apple-converted-space"> </span>host.
Not sure why the module
doesn't fail<br class="">
directly on that, maybe it
tries to validate the
certificate which also does
not match.<br class="">
<br class="">
As the openvehicles server has
frequent connectivity issues
from here I've added a
"nocheck" option to the ota
status command and use that
for the standard web<br
class="">
status page. The OTA page
still checks for the update.<br
class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
--<span
class="Apple-converted-space"> </span><br
class="">
Michael Balzer * Helkenberger
Weg 9 * D-58256 Ennepetal<br
class="">
Fon 02333 / 833 5735 * Handy
0176 / 206 989 26<br class="">
<br class="">
_______________________________________________<br class="">
OvmsDev mailing list<br
class="">
</span><a
href="mailto:OvmsDev@lists.openvehicles.com"
style="color: purple;
text-decoration: underline;"
class=""
moz-do-not-send="true"><span
class="">OvmsDev@lists.openvehicles.com</span><span
class=""></span></a><span
class=""><br class="">
<a
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
style="color: purple;
text-decoration: underline;"
class=""
moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><o:p
class=""></o:p></span></div>
</div>
</div>
</blockquote>
</div>
<div style="margin: 0in 0in 0.0001pt
0.5in; font-size: 11pt; font-family:
Calibri, sans-serif;" class=""><span
class=""><o:p class=""> </o:p></span></div>
</div>
</div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><span class="">_______________________________________________
OvmsDev mailing list<span
class="Apple-converted-space"> </span><a
href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple;
text-decoration: underline;" class=""
moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><span
class="Apple-converted-space"> </span><a
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
style="color: purple; text-decoration:
underline;" class=""
moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></span><o:p
class=""></o:p></div>
</div>
<span style="font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px; float: none; display: inline !important;"
class="">_______________________________________________</span><br
style="font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px;" class="">
<span style="font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px; float: none; display: inline !important;"
class="">OvmsDev mailing list</span><br
style="font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px;" class="">
<a href="mailto:OvmsDev@lists.openvehicles.com"
style="color: purple; text-decoration:
underline; font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px;"
class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br
style="font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px;" class="">
<a
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
style="color: purple; text-decoration:
underline; font-family: Helvetica; font-size:
18px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px;"
class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class=""
moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br
class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</body>
</html>