<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div text="#000000" bgcolor="#FFFFFF" class="">The main attack vector besides compromising the server itself is (of course) the CA system. If you're in control of a CA key, you can create whatever certificate you need. There are currently about 1500 "trusted" CAs, any of them can possibly be used to produce fake certificates right now. even (or especially?) the large ones.</div></blockquote></div><div class=""><br class=""></div><div class="">While I am aware of the concerns, they do seem to be overblown. The entire infrastructure of the SSL Internet relies on these CAs and the trust arrangement. Every HTTPS website uses this, and all your usernames+passwords are protected by it every time you login to a website. Not to mention every on-line bank. If this trusted CA arrangement is broken, to an extend it could threaten us, I think the Internet as a whole would have much bigger problems.</div><div class=""><br class=""></div><div class="">Anyway, in our case we need to explicitly load the trusted CAs into our SSL context at connection time, and that is likely to be 1 or 2 trusted CAs, not 1,500. We are going to need to embed these trusted CAs either in the config or in the firmware itself. Much as I dislike it, we are going to end up with something like a pinned CA anyway.</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div text="#000000" bgcolor="#FFFFFF" class="">Yes, I would check the firmware signature after download/upload and invalidate the file/partition if it doesn't match.</div></blockquote><br class=""></div><div class="">Happy to try. I see that Espressif have some tools and standard ways of doing this (although they go much further with secure boot loaders). I’d rather not mess with the image format to much though - probably easiest to just use Espressif’s tools and implement our own validation at ota flash time.</div><div class=""><br class=""></div><div class="">Regards, Mark.</div><br class=""><div><blockquote type="cite" class=""><div class="">On 7 Apr 2018, at 4:39 PM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="">dexter@expeedo.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
  
  <div text="#000000" bgcolor="#FFFFFF" class="">
    <br class="">
    <div class="moz-cite-prefix">Am 07.04.2018 um 09:34 schrieb Mark
      Webb-Johnson:<br class="">
    </div>
    <blockquote type="cite" cite="mid:B567B1A8-ED6F-4E0C-8E11-52A61F235439@webb-johnson.net" class="">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
      <div class="">
        <blockquote type="cite" class="">
          <div text="#000000" bgcolor="#FFFFFF" class="">support for
            HTTPS will help but not be a 100% protection against MITM
            attacks.<br class="">
          </div>
        </blockquote>
        <br class="">
      </div>
      <div class="">Why not? I think it should protect MITM ok - but
        certainly doesn’t address issues at the server end. Using SSL
        certificate verification, the client can verify the server
        certificate, and the encrypted SSL link should be sufficient to
        protect against tampering. But, no idea how good the ESP32 SSL
        library is for server certificate verification.</div>
    </blockquote>
    <br class="">
    The main attack vector besides compromising the server itself is (of
    course) the CA system. If you're in control of a CA key, you can
    create whatever certificate you need. There are currently about 1500
    "trusted" CAs, any of them can possibly be used to produce fake
    certificates right now. even (or especially?) the large ones.<br class="">
    <br class="">
<a class="moz-txt-link-freetext" href="https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates">https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates</a><br class="">
    <br class="">
<a class="moz-txt-link-freetext" href="https://security.stackexchange.com/questions/42406/how-to-detect-the-nsa-mitm-attack-on-ssl">https://security.stackexchange.com/questions/42406/how-to-detect-the-nsa-mitm-attack-on-ssl</a><br class="">
    <br class="">
    <br class="">
    <blockquote type="cite" cite="mid:B567B1A8-ED6F-4E0C-8E11-52A61F235439@webb-johnson.net" class="">
      <div class="">
        <blockquote type="cite" class="">
          <div text="#000000" bgcolor="#FFFFFF" class="">So we could
            store the public key in the firmware instead and use that to
            verify all downloads & uploads. That way, anyone can
            create his/her own key pair to use for personal builds.<br class="">
            Installing a firmware with another key would still be
            possible by flashing via USB or SD.<br class="">
          </div>
        </blockquote>
        <br class="">
      </div>
      <div class="">Can you elaborate how you suggest this would be
        done? During OTA download, I guess (as otherwise this would
        require boot loader work)?</div>
    </blockquote>
    <br class="">
    Yes, I would check the firmware signature after download/upload and
    invalidate the file/partition if it doesn't match.<br class="">
    <br class="">
    Regards,<br class="">
    Michael<br class="">
    <br class="">
    <br class="">
    <blockquote type="cite" cite="mid:B567B1A8-ED6F-4E0C-8E11-52A61F235439@webb-johnson.net" class="">
      <div class=""><br class="">
      </div>
      <div class="">Regards, Mark.</div>
      <br class="">
      <div class="">
        <blockquote type="cite" class="">
          <div class="">On 7 Apr 2018, at 3:21 PM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="" moz-do-not-send="true">dexter@expeedo.de</a>> wrote:</div>
          <br class="Apple-interchange-newline">
          <div class="">
            <meta http-equiv="Content-Type" content="text/html;
              charset=utf-8" class="">
            <div text="#000000" bgcolor="#FFFFFF" class=""> Mark,<br class="">
              <br class="">
              support for HTTPS will help but not be a 100% protection
              against MITM attacks.<br class="">
              <br class="">
              Regarding code signing, I think we don't need the ESP32
              chip level protection, the primary concern is malicious
              downloads / uploads.<br class="">
              <br class="">
              So we could store the public key in the firmware instead
              and use that to verify all downloads & uploads. That
              way, anyone can create his/her own key pair to use for
              personal builds.<br class="">
              <br class="">
              Installing a firmware with another key would still be
              possible by flashing via USB or SD.<br class="">
              <br class="">
              Regards,<br class="">
              Michael<br class="">
              <br class="">
              <br class="">
              <div class="moz-cite-prefix">Am 07.04.2018 um 08:03
                schrieb Mark Webb-Johnson:<br class="">
              </div>
              <blockquote type="cite" cite="mid:35291E22-7601-4450-BD2A-844EC1EB0ACE@webb-johnson.net" class="">
                <meta http-equiv="Content-Type" content="text/html;
                  charset=utf-8" class="">
                Not at the moment.
                <div class=""><br class="">
                </div>
                <div class="">From my understanding, there are two ways
                  to do this (not mutually exclusive):</div>
                <div class=""><br class="">
                </div>
                <div class="">
                  <ol class="MailOutline">
                    <li class="">Signed firmware<br class="">
                      <br class="">
                      This is the most comprehensive way. It involved a
                      public key stored on the OVMS module itself
                      (burned into e-fuses), and a private key used to
                      sign binaries. The boot loader will then refuse to
                      load any App who’s signature doesn’t match. Works
                      with flash encryption as well.<br class="">
                      <br class="">
                      The problem with this is it conflicts with the
                      nature of open source. Once an ESP32 chip is put
                      in that mode, it will only execute code signed
                      with that private key. We can’t make that public
                      (without destroying the entire security).<br class="">
                      <br class="">
                    </li>
                    <li class="">HTTPS<br class="">
                      <br class="">
                      This at least provides some protection. We can
                      validate the SSL certificate of the server (<a href="http://api.openvehicles.com/" class="" moz-do-not-send="true">api.openvehicles.com</a>)
                      and protect somewhat from man-in-the-middle
                      attacks.<br class="">
                      <br class="">
                      It doesn’t protect against other side-load attacks
                      (such as SD CARD firmware load) - but those
                      require physical access which is pretty much game
                      over anyway, right?</li>
                  </ol>
                </div>
                <div class=""><br class="">
                </div>
                <div class="">I would like to do #2, and made allowance
                  for that with ‘ota flash http’ leaving room for ‘ota
                  flash https’. Just our http client library is pretty
                  crappy at the moment, and it will take some effort to
                  make it support https.</div>
                <div class=""><br class="">
                </div>
                <div class="">Regards, Mark.</div>
                <div class=""><br class="">
                  <div class="">
                    <blockquote type="cite" class="">
                      <div class="">On 6 Apr 2018, at 10:57 PM, Tom
                        Saxton <<a href="mailto:tom@idleloop.com" class="" moz-do-not-send="true">tom@idleloop.com</a>>
                        wrote:</div>
                      <br class="Apple-interchange-newline">
                      <div class="">
                        <div class="WordSection1" style="page:
                          WordSection1; font-family: Helvetica;
                          font-size: 18px; font-style: normal;
                          font-variant-caps: normal; font-weight:
                          normal; letter-spacing: normal; text-align:
                          start; text-indent: 0px; text-transform: none;
                          white-space: normal; word-spacing: 0px;
                          -webkit-text-stroke-width: 0px;">
                          <div style="margin: 0in 0in 0.0001pt;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><span style="font-size: 12pt;" class="">I don’t
                              have the full context for this discussion,
                              but I’m wondering: is the OTA update
                              mechanism protected against a
                              man-in-the-middle attack?<o:p class=""></o:p></span></div>
                          <div style="margin: 0in 0in 0.0001pt;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><span style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div>
                          <div style="margin: 0in 0in 0.0001pt;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><span style="font-size: 12pt;" class="">     Tom<o:p class=""></o:p></span></div>
                          <div style="margin: 0in 0in 0.0001pt;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><span style="font-size: 12pt;" class=""><o:p class=""> </o:p></span></div>
                          <div style="border-style: solid none none;
                            border-top-width: 1pt; border-top-color:
                            rgb(181, 196, 223); padding: 3pt 0in 0in;" class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><b class=""><span style="font-size: 12pt;" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="font-size: 12pt;" class="">OvmsDev
                                <<a href="mailto:ovmsdev-bounces@lists.openvehicles.com" style="color: purple; text-decoration:
                                  underline;" class="" moz-do-not-send="true">ovmsdev-bounces@lists.openvehicles.com</a>>
                                on behalf of Mark Webb-Johnson <<a href="mailto:mark@webb-johnson.net" style="color: purple; text-decoration:
                                  underline;" class="" moz-do-not-send="true">mark@webb-johnson.net</a>><br class="">
                                <b class="">Reply-To:<span class="Apple-converted-space"> </span></b>OVMS
                                Developers <<a href="mailto:ovmsdev@lists.openvehicles.com" style="color: purple; text-decoration:
                                  underline;" class="" moz-do-not-send="true">ovmsdev@lists.openvehicles.com</a>><br class="">
                                <b class="">Date:<span class="Apple-converted-space"> </span></b>Wednesday,
                                April 4, 2018 at 11:51 PM<br class="">
                                <b class="">To:<span class="Apple-converted-space"> </span></b>OVMS
                                Developers <<a href="mailto:ovmsdev@lists.openvehicles.com" style="color: purple; text-decoration:
                                  underline;" class="" moz-do-not-send="true">ovmsdev@lists.openvehicles.com</a>><br class="">
                                <b class="">Subject:<span class="Apple-converted-space"> </span></b>Re:
                                [Ovmsdev] OTA status check timeout / SSL
                                problem?<o:p class=""></o:p></span></div>
                          </div>
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><o:p class=""> </o:p></div>
                          </div>
                          <div style="margin: 0in 0in 0.0001pt 0.5in;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><a name="_MailOriginalBody" class="" moz-do-not-send="true">I think it was a
                              fault on the<span class="Apple-converted-space"> </span></a><a href="http://api.openvehicles.com/" style="color: purple; text-decoration:
                              underline;" class="" moz-do-not-send="true"><span class="">api.openvehicles.com</span><span class=""></span></a><span class=""> config
                              - that shouldn’t be redirecting to https.<o:p class=""></o:p></span></div>
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                          </div>
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><span class="">I
                                fixed it, and it should be ok now.<o:p class=""></o:p></span></div>
                          </div>
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                          </div>
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><span class="">Regards,
                                Mark.<o:p class=""></o:p></span></div>
                          </div>
                          <div class="">
                            <div style="margin: 0in 0in 0.0001pt 0.5in;
                              font-size: 11pt; font-family: Calibri,
                              sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                            <div class="">
                              <div class="">
                                <blockquote style="margin-top: 5pt;
                                  margin-bottom: 5pt;" class="" type="cite">
                                  <div class="">
                                    <div style="margin: 0in 0in 0.0001pt
                                      0.5in; font-size: 11pt;
                                      font-family: Calibri, sans-serif;" class=""><span class="">On 5 Apr
                                        2018, at 12:44 AM, Michael
                                        Balzer <</span><a href="mailto:dexter@expeedo.de" style="color: purple;
                                        text-decoration: underline;" class="" moz-do-not-send="true"><span class="">dexter@expeedo.de</span><span class=""></span></a><span class="">> wrote:<o:p class=""></o:p></span></div>
                                  </div>
                                  <div style="margin: 0in 0in 0.0001pt
                                    0.5in; font-size: 11pt; font-family:
                                    Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                                  <div class="">
                                    <div class="">
                                      <div style="margin: 0in 0in
                                        0.0001pt 0.5in; font-size: 11pt;
                                        font-family: Calibri,
                                        sans-serif;" class=""><span class="">Mark,<br class="">
                                          <br class="">
                                          the server check for an OTA
                                          update now fails every time,
                                          times out after 10 seconds.<br class="">
                                          <br class="">
                                          I think that's because the new
                                          server currently does a
                                          redirect from http to https
                                          also on the<span class="Apple-converted-space"> </span></span><a href="http://api.openvehicles.com/" style="color: purple;
                                          text-decoration: underline;" class="" moz-do-not-send="true"><span class="">api.openvehicles.com</span><span class=""></span></a><span class=""><span class="Apple-converted-space"> </span>host.
                                          Not sure why the module
                                          doesn't fail<br class="">
                                          directly on that, maybe it
                                          tries to validate the
                                          certificate which also does
                                          not match.<br class="">
                                          <br class="">
                                          As the openvehicles server has
                                          frequent connectivity issues
                                          from here I've added a
                                          "nocheck" option to the ota
                                          status command and use that
                                          for the standard web<br class="">
                                          status page. The OTA page
                                          still checks for the update.<br class="">
                                          <br class="">
                                          Regards,<br class="">
                                          Michael<br class="">
                                          <br class="">
                                          --<span class="Apple-converted-space"> </span><br class="">
                                          Michael Balzer * Helkenberger
                                          Weg 9 * D-58256 Ennepetal<br class="">
                                          Fon 02333 / 833 5735 * Handy
                                          0176 / 206 989 26<br class="">
                                          <br class="">
_______________________________________________<br class="">
                                          OvmsDev mailing list<br class="">
                                        </span><a href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple;
                                          text-decoration: underline;" class="" moz-do-not-send="true"><span class="">OvmsDev@lists.openvehicles.com</span><span class=""></span></a><span class=""><br class="">
                                          <a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" style="color: purple;
                                            text-decoration: underline;" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><o:p class=""></o:p></span></div>
                                    </div>
                                  </div>
                                </blockquote>
                              </div>
                              <div style="margin: 0in 0in 0.0001pt
                                0.5in; font-size: 11pt; font-family:
                                Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div>
                            </div>
                          </div>
                          <div style="margin: 0in 0in 0.0001pt 0.5in;
                            font-size: 11pt; font-family: Calibri,
                            sans-serif;" class=""><span class="">_______________________________________________
                              OvmsDev mailing list<span class="Apple-converted-space"> </span><a href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple;
                                text-decoration: underline;" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><span class="Apple-converted-space"> </span><a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" style="color: purple; text-decoration:
                                underline;" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></span><o:p class=""></o:p></div>
                        </div>
                        <span style="font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; text-align: start; text-indent: 0px;
                          text-transform: none; white-space: normal;
                          word-spacing: 0px; -webkit-text-stroke-width:
                          0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; text-align: start; text-indent: 0px;
                          text-transform: none; white-space: normal;
                          word-spacing: 0px; -webkit-text-stroke-width:
                          0px;" class="">
                        <span style="font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; text-align: start; text-indent: 0px;
                          text-transform: none; white-space: normal;
                          word-spacing: 0px; -webkit-text-stroke-width:
                          0px; float: none; display: inline !important;" class="">OvmsDev mailing list</span><br style="font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; text-align: start; text-indent: 0px;
                          text-transform: none; white-space: normal;
                          word-spacing: 0px; -webkit-text-stroke-width:
                          0px;" class="">
                        <a href="mailto:OvmsDev@lists.openvehicles.com" style="color: purple; text-decoration:
                          underline; font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; orphans: auto; text-align: start;
                          text-indent: 0px; text-transform: none;
                          white-space: normal; widows: auto;
                          word-spacing: 0px; -webkit-text-size-adjust:
                          auto; -webkit-text-stroke-width: 0px;" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br style="font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; text-align: start; text-indent: 0px;
                          text-transform: none; white-space: normal;
                          word-spacing: 0px; -webkit-text-stroke-width:
                          0px;" class="">
                        <a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" style="color: purple; text-decoration:
                          underline; font-family: Helvetica; font-size:
                          18px; font-style: normal; font-variant-caps:
                          normal; font-weight: normal; letter-spacing:
                          normal; orphans: auto; text-align: start;
                          text-indent: 0px; text-transform: none;
                          white-space: normal; widows: auto;
                          word-spacing: 0px; -webkit-text-size-adjust:
                          auto; -webkit-text-stroke-width: 0px;" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></div>
                    </blockquote>
                  </div>
                  <br class="">
                </div>
                <br class="">
                <fieldset class="mimeAttachmentHeader"></fieldset>
                <br class="">
                <pre class="" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
              </blockquote>
              <br class="">
              <pre class="moz-signature" cols="160">-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
            </div>
            _______________________________________________<br class="">
            OvmsDev mailing list<br class="">
            <a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
            <a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
          </div>
        </blockquote>
      </div>
      <br class="">
      <br class="">
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br class="">
      <pre wrap="" class="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
    </blockquote>
    <br class="">
    <pre class="moz-signature" cols="160">-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
  </div>

_______________________________________________<br class="">OvmsDev mailing list<br class=""><a href="mailto:OvmsDev@lists.openvehicles.com" class="">OvmsDev@lists.openvehicles.com</a><br class="">http://lists.openvehicles.com/mailman/listinfo/ovmsdev<br class=""></div></blockquote></div><br class=""></body></html>