<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><blockquote type="cite" class=""><div text="#000000" bgcolor="#FFFFFF" class="">support for HTTPS will help but not be a 100% protection against MITM attacks.<br class=""></div></blockquote><br class=""></div><div class="">Why not? I think it should protect MITM ok - but certainly doesn’t address issues at the server end. Using SSL certificate verification, the client can verify the server certificate, and the encrypted SSL link should be sufficient to protect against tampering. But, no idea how good the ESP32 SSL library is for server certificate verification.</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div text="#000000" bgcolor="#FFFFFF" class="">So we could store the public key in the firmware instead and use that to verify all downloads & uploads. That way, anyone can create his/her own key pair to use for personal builds.<br class="">Installing a firmware with another key would still be possible by flashing via USB or SD.<br class=""></div></blockquote><br class=""></div><div class="">Can you elaborate how you suggest this would be done? During OTA download, I guess (as otherwise this would require boot loader work)?</div><div class=""><br class=""></div><div class="">Regards, Mark.</div><br class=""><div><blockquote type="cite" class=""><div class="">On 7 Apr 2018, at 3:21 PM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="">dexter@expeedo.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
  
  <div text="#000000" bgcolor="#FFFFFF" class="">
    Mark,<br class="">
    <br class="">
    support for HTTPS will help but not be a 100% protection against
    MITM attacks.<br class="">
    <br class="">
    Regarding code signing, I think we don't need the ESP32 chip level
    protection, the primary concern is malicious downloads / uploads.<br class="">
    <br class="">
    So we could store the public key in the firmware instead and use
    that to verify all downloads & uploads. That way, anyone can
    create his/her own key pair to use for personal builds.<br class="">
    <br class="">
    Installing a firmware with another key would still be possible by
    flashing via USB or SD.<br class="">
    <br class="">
    Regards,<br class="">
    Michael<br class="">
    <br class="">
    <br class="">
    <div class="moz-cite-prefix">Am 07.04.2018 um 08:03 schrieb Mark
      Webb-Johnson:<br class="">
    </div>
    <blockquote type="cite" cite="mid:35291E22-7601-4450-BD2A-844EC1EB0ACE@webb-johnson.net" class="">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
      Not at the moment.
      <div class=""><br class="">
      </div>
      <div class="">From my understanding, there are two ways to do this
        (not mutually exclusive):</div>
      <div class=""><br class="">
      </div>
      <div class="">
        <ol class="MailOutline">
          <li class="">Signed firmware<br class="">
            <br class="">
            This is the most comprehensive way. It involved a public key
            stored on the OVMS module itself (burned into e-fuses), and
            a private key used to sign binaries. The boot loader will
            then refuse to load any App who’s signature doesn’t match.
            Works with flash encryption as well.<br class="">
            <br class="">
            The problem with this is it conflicts with the nature of
            open source. Once an ESP32 chip is put in that mode, it will
            only execute code signed with that private key. We can’t
            make that public (without destroying the entire security).<br class="">
            <br class="">
          </li>
          <li class="">HTTPS<br class="">
            <br class="">
            This at least provides some protection. We can validate the
            SSL certificate of the server (<a href="http://api.openvehicles.com/" class="" moz-do-not-send="true">api.openvehicles.com</a>) and
            protect somewhat from man-in-the-middle attacks.<br class="">
            <br class="">
            It doesn’t protect against other side-load attacks (such as
            SD CARD firmware load) - but those require physical access
            which is pretty much game over anyway, right?</li>
        </ol>
      </div>
      <div class=""><br class="">
      </div>
      <div class="">I would like to do #2, and made allowance for that
        with ‘ota flash http’ leaving room for ‘ota flash https’. Just
        our http client library is pretty crappy at the moment, and it
        will take some effort to make it support https.</div>
      <div class=""><br class="">
      </div>
      <div class="">Regards, Mark.</div>
      <div class=""><br class="">
        <div class="">
          <blockquote type="cite" class="">
            <div class="">On 6 Apr 2018, at 10:57 PM, Tom Saxton <<a href="mailto:tom@idleloop.com" class="" moz-do-not-send="true">tom@idleloop.com</a>> wrote:</div>
            <br class="Apple-interchange-newline">
            <div class="">
              <div class="WordSection1" style="page: WordSection1;
                font-family: Helvetica; font-size: 18px; font-style:
                normal; font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;">
                <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
                  font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt;" class="">I don’t have the
                    full context for this discussion, but I’m wondering:
                    is the OTA update mechanism protected against a
                    man-in-the-middle attack?<o:p class=""></o:p></span></div>
                <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
                  font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div>
                <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
                  font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt;" class="">     Tom<o:p class=""></o:p></span></div>
                <div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
                  font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div>
                <div style="border-style: solid none none;
                  border-top-width: 1pt; border-top-color: rgb(181, 196,
                  223); padding: 3pt 0in 0in;" class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-size: 12pt;" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="font-size: 12pt;" class="">OvmsDev <<a href="mailto:ovmsdev-bounces@lists.openvehicles.com" style="color: purple; text-decoration:
                        underline;" class="" moz-do-not-send="true">ovmsdev-bounces@lists.openvehicles.com</a>>
                      on behalf of Mark Webb-Johnson <<a href="mailto:mark@webb-johnson.net" style="color: purple; text-decoration:
                        underline;" class="" moz-do-not-send="true">mark@webb-johnson.net</a>><br class="">
                      <b class="">Reply-To:<span class="Apple-converted-space"> </span></b>OVMS
                      Developers <<a href="mailto:ovmsdev@lists.openvehicles.com" style="color: purple; text-decoration:
                        underline;" class="" moz-do-not-send="true">ovmsdev@lists.openvehicles.com</a>><br class="">
                      <b class="">Date:<span class="Apple-converted-space"> </span></b>Wednesday,
                      April 4, 2018 at 11:51 PM<br class="">
                      <b class="">To:<span class="Apple-converted-space"> </span></b>OVMS
                      Developers <<a href="mailto:ovmsdev@lists.openvehicles.com" style="color: purple; text-decoration:
                        underline;" class="" moz-do-not-send="true">ovmsdev@lists.openvehicles.com</a>><br class="">
                      <b class="">Subject:<span class="Apple-converted-space"> </span></b>Re:
                      [Ovmsdev] OTA status check timeout / SSL problem?<o:p class=""></o:p></span></div>
                </div>
                <div class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div>
                </div>
                <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                  11pt; font-family: Calibri, sans-serif;" class=""><a name="_MailOriginalBody" class="" moz-do-not-send="true">I think it was a fault on the<span class="Apple-converted-space"> </span></a><a href="http://api.openvehicles.com/" style="color:
                    purple; text-decoration: underline;" class="" moz-do-not-send="true"><span class="">api.openvehicles.com</span><span class=""></span></a><span class=""> config - that
                    shouldn’t be redirecting to https.<o:p class=""></o:p></span></div>
                <div class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                </div>
                <div class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><span class="">I fixed it, and it should be ok now.<o:p class=""></o:p></span></div>
                </div>
                <div class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                </div>
                <div class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><span class="">Regards, Mark.<o:p class=""></o:p></span></div>
                </div>
                <div class="">
                  <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                    11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                  <div class="">
                    <div class="">
                      <blockquote style="margin-top: 5pt; margin-bottom:
                        5pt;" class="" type="cite">
                        <div class="">
                          <div style="margin: 0in 0in 0.0001pt 0.5in;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><span class="">On 5
                              Apr 2018, at 12:44 AM, Michael Balzer <</span><a href="mailto:dexter@expeedo.de" style="color: purple; text-decoration:
                              underline;" class="" moz-do-not-send="true"><span class="">dexter@expeedo.de</span><span class=""></span></a><span class="">>
                              wrote:<o:p class=""></o:p></span></div>
                        </div>
                        <div style="margin: 0in 0in 0.0001pt 0.5in;
                          font-size: 11pt; font-family: Calibri,
                          sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                        <div class="">
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><span class="">Mark,<br class="">
                                <br class="">
                                the server check for an OTA update now
                                fails every time, times out after 10
                                seconds.<br class="">
                                <br class="">
                                I think that's because the new server
                                currently does a redirect from http to
                                https also on the<span class="Apple-converted-space"> </span></span><a href="http://api.openvehicles.com/" style="color: purple; text-decoration:
                                underline;" class="" moz-do-not-send="true"><span class="">api.openvehicles.com</span><span class=""></span></a><span class=""><span class="Apple-converted-space"> </span>host.
                                Not sure why the module doesn't fail<br class="">
                                directly on that, maybe it tries to
                                validate the certificate which also does
                                not match.<br class="">
                                <br class="">
                                As the openvehicles server has frequent
                                connectivity issues from here I've added
                                a "nocheck" option to the ota status
                                command and use that for the standard
                                web<br class="">
                                status page. The OTA page still checks
                                for the update.<br class="">
                                <br class="">
                                Regards,<br class="">
                                Michael<br class="">
                                <br class="">
                                --<span class="Apple-converted-space"> </span><br class="">
                                Michael Balzer * Helkenberger Weg 9 *
                                D-58256 Ennepetal<br class="">
                                Fon 02333 / 833 5735 * Handy 0176 / 206
                                989 26<br class="">
                                <br class="">
_______________________________________________<br class="">
                                OvmsDev mailing list<br class="">
                              </span><a href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple; text-decoration:
                                underline;" class="" moz-do-not-send="true"><span class="">OvmsDev@lists.openvehicles.com</span><span class=""></span></a><span class=""><br class="">
                                <a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" style="color: purple; text-decoration:
                                  underline;" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><o:p class=""></o:p></span></div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                    <div style="margin: 0in 0in 0.0001pt 0.5in;
                      font-size: 11pt; font-family: Calibri,
                      sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                  </div>
                </div>
                <div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
                  11pt; font-family: Calibri, sans-serif;" class=""><span class="">_______________________________________________
                    OvmsDev mailing list<span class="Apple-converted-space"> </span><a href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple; text-decoration: underline;" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><span class="Apple-converted-space"> </span><a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" style="color: purple; text-decoration: underline;" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></span><o:p class=""></o:p></div>
              </div>
              <span style="font-family: Helvetica; font-size: 18px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; float: none; display:
                inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 18px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px;" class="">
              <span style="font-family: Helvetica; font-size: 18px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; float: none; display:
                inline !important;" class="">OvmsDev mailing list</span><br style="font-family: Helvetica; font-size: 18px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px;" class="">
              <a href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple; text-decoration: underline;
                font-family: Helvetica; font-size: 18px; font-style:
                normal; font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: auto; word-spacing: 0px;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px;" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br style="font-family: Helvetica; font-size: 18px;
                font-style: normal; font-variant-caps: normal;
                font-weight: normal; letter-spacing: normal; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px;" class="">
              <a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" style="color: purple; text-decoration: underline;
                font-family: Helvetica; font-size: 18px; font-style:
                normal; font-variant-caps: normal; font-weight: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: auto; word-spacing: 0px;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px;" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></div>
          </blockquote>
        </div>
        <br class="">
      </div>
      <br class="">
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br class="">
      <pre wrap="" class="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
    </blockquote>
    <br class="">
    <pre class="moz-signature" cols="160">-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
  </div>

_______________________________________________<br class="">OvmsDev mailing list<br class=""><a href="mailto:OvmsDev@lists.openvehicles.com" class="">OvmsDev@lists.openvehicles.com</a><br class="">http://lists.openvehicles.com/mailman/listinfo/ovmsdev<br class=""></div></blockquote></div><br class=""></body></html>