Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Drzony
@drzony
Why do you want an https server on esp? Or do you mean on a PC?
https web server is extremely limited on ESP an not really required for the most part
Hasenradball
@hasenradball
The background is the following I want to send http POST data encrypted or so that cannot be seen in the browser.
Drzony
@drzony
what do you mean by "cannot be seen in the browser"? SSL does not do that
SSL encrypts the data between the browser and the server
you can see the data in the browser and on the server
not in the middle
Hasenradball
@hasenradball
example if I send a password via http POST I can see the POST -> data in the console view of the browser
Drzony
@drzony
you will also see that when sending via https
Hasenradball
@hasenradball
this I mean I want encrypt sensible data in the middle.
or if possible not to see anymore in the browser :-)
Drzony
@drzony
the browser encrypts the data when sending it out, so it will always be visible in the browser
there is no possibility to hide the data from the browser
Hasenradball
@hasenradball
But you mean https is not so good on the ESP, right?
Drzony
@drzony
no
that is the way that SSL works
you cannot do it no matter what server you are using
Hasenradball
@hasenradball
sure I mean the encryption part
Drzony
@drzony
when you enter the password in the browser, then the browser constructs the POST request
Hasenradball
@hasenradball
sure
Drzony
@drzony
so it must know the password
to put it into POST
then it encrypts the data, when sending it
so you cannot hide the password from the browser
it will always be visible in the console
Hasenradball
@hasenradball
No that not what I mean, I want to encrypt it during sending
console I mean the developer area -> F12where you can see the post data and son on...
Drzony
@drzony
yes
you will always see the data there, even when using SSL (i.e. https)
SSL only protects from man-in-the-middle attacks
for example when someone like your ISP wants to see the data
do you want to make ESP directly visible on the internet?
or are you afraid of bad actors in your local network?
Hasenradball
@hasenradball
no I am not afraid :-)
But I want to check out how I will work on the ESP.
Hasenradball
@hasenradball
@drzony and I heard that the https faster than http ist this right?
Drzony
@drzony
no
on ESP one https request takes about 3 seconds
(client one)
the server one will probably be even longer
https = http inside SSL, so it cannot be faster
Drzony
@drzony
@earlephilhower Either way I don't think that @hasenradball really needs https
Considering that most browsers will give warnings about self-signed certificates
and all the fuss with setting up https
Hasenradball
@hasenradball
Thanks for the Info I will have a look at the https examples, but if its not faster than http it is not an benefit for me. :-)
Earle F. Philhower, III
@earlephilhower
HTTP's auth is insanely insecure (plaintext b64!) so using TLS to protect that is generally a good practice (but slow on the 8266). But yes, there's no way to keep the browser itself from knowing the password...that's just kind of silly. Anyway, the examples do show both methods so he should be able to choose accordingly. Good luck!
Hasenradball
@hasenradball
:-)
Drzony
@drzony
@earlephilhower If it's only required for sending passwords, then I would go with encrypting it in JS with some master password. Using TLS without validating server cert (i.e. clicking through self signed warning) is also insecure (third party can trick you into entering password on their server)
Hasenradball
@hasenradball
Hello is it possible to send a post request to the ESP8266Webserver with json-formatted data or has the data always be in the type of x-www-form-urlencoded?
2 replies