Can ESP32 web server be made a secure network?

Generally, a secure web connection requires a key issued by a recognized (by the browser) certificate authority within a public / private key infrastructure. More detail than you probably want here:

Browsers and Certificate Validation - SSL.com

So, for the web server to be considered to be secure, you would need to acquire a trusted key from a recognized certificate authority (CA), and install it in the web server (assuming that is supported by the ESP32).

The good news is, it's your server, so you don't need to worry about it overmuch if its traffic is only on your LAN.

Hi @binaryrhyme and @mrclassicman,

 In terms of 'secure', it is necessary to define what you want to be secure. @binaryrhyme has kindly provided an answer relating to how you make an Internet web site  more secure for visitors browsing your site ... colloquially this is most obvious as turning an HTTP: site into an HTTPS: site ... which is indeed an important consideration.

 This means that the 'conversation' between a browser and the website is encrypted. If the SSL certificate is issued by one of the commercial organistaions that (for a fee) also 'audits' the web site owner in some way, then it also provides some assurance that the site is associated with a legitimate person or organisation named on the certificate. 'Lower level' SSL certificates can be used if this extra degree of assurance is not needed, including free ones which might be sufficient for your purpose.

However, SSL does little to prevent the website, which effectively includes any computers in the local network hosting the website, itself being attacked ... and hence I offer a discussion below on that aspect.

----

  My understanding on security aspects is sketchy, but one 'loophole' that hackers use comes to mind. It has been used against some commercial cameras, both 'cheap' unbranded and 'posh' branded, that had poor security. (Also a variety of other odd items, including toys.) I would hope the ESP32 software does not have a similar vulnerability, but I don't know for sure.

Assume:

• You have one WiFi + wired Ethernet 'home' network, centred around a router, which also forms the gateway to the Internet - which is probably the most common situation in homes.
•  
• The router will do its best to prevent someone on the Internet accessing devices on the 'home' network, but it is naive to think that will always be 100% effective, as by definition, its role is to allow those devices to access the rest of the World. For example, you may do online shopping and banking on a PC/Mac/mobile phone/tablet that also connects via the same router. Distinguishing between legitimate traffic and a 'good' fake is hard, as many high profile companies and even government military organisations have found out to their cost, and some hackers have very deep pockets to find oversights, especially if they can make an easy milllion bucks.
•  
• In this case, each device that logs into your 'home' network, has the SSID + password to log into the network.
•  
• If one of those devices has poor security, it may be possible for someone on the Internet to 'trick' the device into being controlled remotely into, for example, if it is a camera, sending the camera images to a different site on the Internet, with obvious privacy implications and possible blackmail.
•  
• Even more seriously, the compromised device may be tricked into revealing the SSID+password ... e.g. by convincing it that it needs to login to the router.
•  
• Gaining knowledge of SSID+password then provides a 'foothold' onto your 'home' network, which hackers can use to obtain much more 'useful' information ... say your banking login details when you you next access your account.

Of course, I am not saying that an ESP32 or any other processor with web access will immediately result in your bank account being cleaned out, but the possibility, over a period of time, of an unpleasant experience is practically impossible to exclude, especially if the device is live 24x7. I will leave others to speculate on the probability of that risk.

I have read several reports where people have set up 'Honeypot' networks, which are virtual networks, set up with known 'holes', and monitoring. The consensus is that they attracted malicious interest within minutes! Apparently there are a lot of sites probing around ... !

Thus personally, I would be wary of putting on a permanently live and active processor, such as ESP32 or Arduino, as a device directly on my 'home' network, if only because I do not have the experience and resources to assess its vulnerability. I am personally contemplating a second 'experimental' network with its own router, maybe using a DMZ (DeMilitarised Zone) approach ... perhaps others would like to comment? No system is going to 100% secure ... but if we make it hard for the malicious types, hopefully they will look elsewhere for an easier opportunity.

Take care and best wishes, Dave

@davee Thank you very much for all this information. What you have stated here relate directly to my concerns. Before I secured my router, we used to have people parked on the street using it as an access point. I was thinking maybe a motion sensor to activate would make it on less of the time and therefore less visible so to speak. You guys have given me a lot of information to work with, and I really appreciate it. Now to do my homework!

Terry

P.S. this damn thing is pretty cool though!

@mrclassicman

As @davee pointed out, the answer depends on the question - the question I answered was how to configure things such that your web browser stops saying your website is insecure, but that complaint is really only relevant when dealing with 3rd party websites on the internet. 

If you want to protect your device from unauthorized access, the simplest way is to restrict its accessibility to your LAN. If you want to access devices on your LAN while out of the house, the most straightforward mechanism is a Remote Access VPN configured on the router that gateways to your ISP, or a VPN server on your network that has been port forwarded from that router.

The exercise of configuring such a capability will be ... educational, lol. This might help:

How to Setup VPN on Your Router (easy, step-by-step tutorial!) - YouTube

@binaryrhyme Well this could turn into a real exercise for a very old and challenged person (me). I have never been very good at IT or more complicated processes. So, at some point I usually call customer support before my brain melts! lol. Thank you so much for this additional information! I will read through it and try and determine where to go from here. You Guys are AWESOME, thank you so much!!!

Terry

Hi @binaryrhyme,

   Sorry, but I am not sure a VPN will fix the vulnerability I am considering, though it may make it a bit harder, in that the router could be set up to ignore all traffic through its WAN port that is not part of the VPN stream. However, in the case of a residential router, connected only via wires and fibres to the ISP, this is probably the least vulnerable section, excluding actions by privileged groups like comms firms and governments. Of course, if I have got this wrong, please accept my apologies...

------- My thoughts...

The VPN encrypts traffic from the router to the ISP/VPN provider, but it must emerge onto the Internet for you connect to 'real world' ... from then outwards it is completely 'in the wild' and where most of the bad actors are likely to be. In other words, the VPN is likely to convey their bad intentions as failthfully as if it is an unencrypted connection.

VPN technology has a part to play .. e.g. if you allow your mobile to the nearest 'free WiFi'. In this case one end of the VPN is the mobile itself, and the 'vulnerable' 'free WiFi' section is spanned as encrypted throughout. In this case, it is up to the mobile to defend itself against local attack at the WiFi input stage, by only accepting the VPN traffic from the local WiFi traffic, which is relatively easy, provided the VPN encryption isn't cracked.

(Of course, VPNs are also used to disguise the country of origin and to protect against local 'tapping' by comms companies, etc. , but these are other discussions.)

However, the mobile's operating system, including any security add-ons, must reject any bad traffic entering from the Internet 'at large' via the VPN stream. The latter have organisations like Google, Microsoft and Apple helping to 'watch your back' ... Software and hardware providers for ESP32s and Arduinos may be benign by intention, but are a lot smaller players.... and even the big boys regularly get caught out.

Best wishes, Dave

@davee A remote access VPN is a point of vulnerability, and needs to be properly configured to minimize that risk, for sure - as strong an authentication mechanism as can be managed to grant access - but if you want remote access (not saying that is the case) some manner of tunneling into the device needs to be present, and thus a vulnerability is created.

Of course, VPNs are not a monolithic classification. Remote access VPNs are hosted on your home router, to grant access to LAN resources, while outbound VPNs (e.g. NordVPN) that wrap around your traffic to give you privacy from your ISP, or to let you appear to be in another country are the reverse - tunneling out of your LAN and emerging elsewhere. Site to site tunnels never emerge in the wild, yada yada.

There are lots of other options for remote access to LAN resources - (e.g. gotoMyPC, if you've got $30 a month, lol) - but engineering a specific solution is a multidimensional problem. As always, it depends.

Hi @binaryrhyme,

  Thanks for your kind and thoughtful reply - it is much appreciated.

Whilst I am probably over paranoid, I think it is a real question - whilst most high profile hackers are probably after mid to large concerns for cash, that doesn't stop a large number of 'bedroom' hackers looking for a quick buck from Joe Public, and tools that the big boys have discarded often get 'recycled'. Connecting ESPs, Arduinos etc to the Internet/Cloud might attract the interest of a few such miscreants, who may well have such kit to hand, so  discussing the hazards and mitigations seems worthwhile.

-----

I hope it was obvious, I was only discussing cases in which the ESP32(say) is connected to the Internet in such a way that someone on the Internet could send a packet to it, including any cases in which the 'front door' router could be persuaded to pass it through. In the event the ESP32 CAM was directly connected to (say) a PC server (not using the 'home' network), and the PC server in turn faces towards the Internet, via the 'home' router, then the PC could act as a firewall, protecting the ESP. Furthermore, the ESP would not have SSID and password information for the router, so would be less 'helpful' to a hacker. (I haven't seen such a set up, but it sounds feasible, albeit maybe requiring a lot of new work.)

@mrclassicman mentioned a web server, which I took to imply he was contemplating running the web server on the 'home' network, probably hosted on the ESP32 itself, that would be 'accessible' to anyone on the Internet. (By 'accessible' I mean packets could be sent to it, including packets that could take control of it if it has a vulnerability - not that it would normally send video or other 'normal' responses without providing a password or equivalent.) The basis of the ESP32 CAM demo that Bill has produced one of his excellent videos on shows it acting as a web server, albeit with the assumption that the router was assumed to default to local '192.162.x.x' address access. I assumed mrclassicman was considering extending this type of access to the Internet.

(A local network unconnected from the Internet would probably only be vulnerable to 'white-van man' parked outside his house, with a pile of WiFi listening equipment ... and even I am not that paranoid.. yet ...😀 )

VPN (to me) generically only means traffic is encrypted between two endpoints... there are a number of ways it can be manifest. However, I fail to understand how it would help in this case.

Perhaps you were assuming the ESP32 itself, or possibly a server with a 'smart' firewall acting as its proxy, would be one endpoint of the VPN, the other being ISP?

My concern is in a 'normal' 'home' network, with the ESP as a device on the router network device list, how can we either:

• protect a ESP32 CAM from being subjected to an attack of malevolent packets
• be sure the ESP32 has no vulnerabilities, so it will reject all malevolent packets

Perhaps I have not realised the potential of one of the VPN solutions. VPN betwen two fixed (commercial/funded) sites is somewhat different proposition, as I would expect some serious firewalls, etc. at each end guarding against attacks. This I assumed was out of scope here. Other examples for 'home working', etc. I imagine are mainly aimed at securing the 'office' servers ... the remote home laptop can be configured to only accept packets from the VPN, which is safer than the usual 'open' access, but this is dependent upon the laptop itself not being vulnerable at the front end. Plus, most home workers will not be  providing a web server service through the Internet connection.

A VPN clearly protects against eavesdroppers for the part of the connection that the VPN spans. For web browsing, a normal 'HTTPS' connection encrypts the main conversation, but allows the eavesdropper to monitor the web addresses. A VPN starting inside or at the home network prevents this information  leakage. However, unless the VPN extends to the destination server, as happens in the fixed site to site scenario, it seems to leave the 'home' network exposed to incoming attack. Or have I missed something?

Similarly, I was assuming that commercial VPN solutions like gotomyPC are not immediately useful to protect an ESP32 server. Is this an oversight on my part?

Best wishes, Dave

@davee We are probably working with different assumptions about what the intended application and attendant concerns are. 😉 @mrclassicman - happy to provide further guidance should you provide greater detail on your intentions. 🙂

@binaryrhyme As, with most things now days one almost has to be an expert at everything to even understand the guidance for the much more knowledgeable helpers! Though I would love to say I understood all that has been said I realistically only caught about ten percent. What I glean from this is that small potatoes less of a problem but still vulnerable. The part that I need more help in understanding is, and this might be difficult for me to verbalize, is the differences of the networks and how they pertain to this ESP32 web cam server. Would there be another means for getting the video feed from this device other than through a webserver? I can also state with total confidence that I know enough to get into trouble and never quite enough to get back out! Basically, is there a simple way out? shouldn't I just be able to get a direct feed from the camera to my computer without using the browser server route? Again I can't thank you enough for all your input on this subject! It might help if I can explain more of what I would like to do and why this camera just might be the answer. I have an "N" scale model railroad that I like to video it in action. Most cameras don't focus very close up so most of my current video's closeups are out of focus. This camera seems to focus at much closer distances which is a plus and that might make up for the lower overall quality of the video. I could edit in the closeups with the better video to overcome some of the issue. If you would care to take a look, I am on You Tube under mrclassicman and the railroad is Cedarville Junction. 

Terry

Hi @binaryrhyme,

  Thanks for your latest reply ... I agree.

  In general, I am worried about people, who are not that familiar with routers, etc., reconfiguring their 'home' router or other similar actions... it can be a bit like going out, leaving your house keys under the outside mat, assuming no malevolent is going to be smart enough to look there.

It is all too easy to open a bigger access hole than you meant too, much harder to check it doesn't exist, unless you are a hacker that collects all the penetration tools going ...

Take care and best wishes, Dave

Hi @mrclassicman,

  As in the better quality quiz shows, let's have a starter question for 10 points ...

Do you want to access the camera away from your house/garage etc.?

Dave

Funny, but I know what you mean, others might call it a rabbit hole. Six to ten feet with a lap top is all that I would need. The ESP32 apparently has Blu tooth which for this just might work. Is this an avenue I should be looking towards?

Terry

Hi @mrclassicman,

  I think I have explored a few rabbit holes recently .... not found a rabbit yet though 😀 😀 😀 

This is begining to sound simpler, so for a bonus 15 points:

Does making the ESP32CAM an 'access point'  that your laptop logs into appeal? i.e.

1. Assuming you have loaded a modified version of the ESPCAM web server onto the ESP sometime previously
2. Power up and aim your ESP CAM where you want it to work.
3.  On your laptop, assuming its Windows or Linux, and within a few metres/yards of the ESP, click to the WiFi icon on the taskbar, disconnect from your home router, then select your ESP CAM access point. (It's probably also the same on Apple, but I haven't got one to check, and they like to 'appear' to be different when they can.)
4. Use your browser, pretty much as you have previously to run the ESP CAM web server, except the IP address will be different

This way, you are not connected to the Internet. The only way someone can pick up your camera is by being physically close enough to pick up the WiFi signal ... Typically about 50 metres/yards max, though you can push it a bit further with hi-gain aerials, if you have line of sight. So a neighbour or two, plus a guy in a van outside your house with an aerial, would typically be the only potential eavesdroppers... for most of us, this is not a high risk group, but neighbourhoods can vary ... 😉 

Furthermore, even this tiny group could only get access to your ESP CAM and maybe your laptop. If you are really paranoid, use other computers/phones/tablets for any sensitive information, like banking details.

Of course, if you wanted to post some of the video onto YouTube (say), you would need to record it onto the laptop disk, then reverse step 3, so your laptop rejoins your home network and the Internet, and upload the video.

Are we getting close?

Best wishes, Dave