I need to make an WEB based monitoring system using ESP8266, which could display the data. The system will have a user registration form, which should allow to display the data for a particular user. For this purpose I got a remote server (domain). Now I'm facing with some problems, how could I send data to this domain from the ESP? My ESP module uses NodeMCU firmware and I can program it using Lua. I read that there is HTTP GET and POST request methods and I unsuccessfully spent a few days trying to implement one of these methods... Maybe someone could put me on the road What should be the sequence of steps to start sending data to the external server? That would be a big step forward if I could send f.e. constant value variable.
Assuming your NodeMCU is connected to a network and had internet access, you can just do
http.post(url, headers, body, callback)
and it should send a post request to the given URL. HTTPS also works here, but has limitations.
Note that you need to compile the firmware with the HTTP (and TLS if you want HTTPS) module(s) by uncommenting the corresponding line(s) in the app/include/user_modules.h file.
Related
I am working on a project where an Arduino will send measurements and receive commands through an Ethernet interface and a REST API to open and lock a door. For all means, we can consider that the devices are protected, but that the Ethernet network may be accessed. Therefore, a Man-in-the-middle attack is plausible.
The commands to open/lock the door will be part of the reply of an HTTP GET request. In order to prevent a MITM attack where the response is faked to open the lock, I want to use some kind of encrypted response. Now, Arduinos lack the power to use HTTPS, and I want it to be Arduinos because of costs and ease of development.
I have come up with the following scheme:
Both the Arduino and the server have an identical set of index-value registers. The value will be used as a code to encrypt using AES-128.
When the Arduino sends its GET request, it also sends a randomly selected index, indicating to the server which value to use to encrypt the open/lock command.
The server sends a clear text response (JSON) where the command field is an encrypted text.
The Arduino will decode it and apply the required action.
The Arduino will also send some sensor data from time to time. In this case, it will send the index of the code it used to encrypt the data and the encrypted data.
The set of index-value keys is large, so repetitions are rare (but may occur from time to time).
My question is, is this scheme secure? Am I missing something? Is there any other more tested alternative for securing these interactions that doesn't involve using a more advanced platform?
Thanks in advance!
Use an ESP2866 based Arduino. It does not cost significantly more, it uses the same tools but you can use SSL instead of rolling your own solution. I have used the Wemos D1 boards and they work as a drop in Arduino replacement.
I am currently working on a Home Automation project. The following is my setup.
A ESP8266 WiFi module will be connected to various sensors. A light
web server will be running on the module. There will be a Linode Cloud
deployed running certain NodeJS scripts and MongoDB database. The
mobile application(Client) will be sending requests to cloud to
control and monitor various sensors. I will be securing the connection
between the application and cloud using JSON Web Tokens. Also I will
try to use HTTPS to secure this connection.
I am confused on how to secure the communication between the Cloud server and the ESP8266 module. I did a lot of research. Got to know certain concepts but could not get a clear and complete picture. Someone please guide me. Thank You.
Use a token in headers between all you apps.
And when you send request, this will look something like this:
request.post({
url: 'https://mycoolserver.com/',
headers: {
Authorization: 'lalalablablabla'
}
})
UPDATE: As far as you send request, the server on that side checks if your token matches the one he has. There are a lot of security tricks to keep you tokens safe, this one I suggested, is very basic security, but you can do it easily just on flight. Later on you can increase your security level.
Assuming you have a real time clock in both system (Client and Server)
Generate a function something like (((unixTime)/1000) + SomeNumbers) * ASmallNumber Where (unixTime)/1000 is unixTime in second, SomeNumbers is a static number like 897645, ASmallNumber is a small number like 7
This formula will generate a number depends on time. Send this number to the receiver. In receiver (with same SomeNumbers and ASmallNumber value), decode the number and check unixTime using receiver unixTime
example: if (unixTime - decodedUnixTime < 5 && unixTime - decodedUnixTime >0) then message is trusted
I am trying to make a get/post request to a multi-purpose modem for web interface and gsm interface using a PLC(Programmable Logic Controller).
I have been trying to send string data to the modem through the TCP library currently with Schneider Somachine. Every time I make a request, I receive an Error 400 bad request. I am hoping that my program is correct as I can receive an error statement via the modem, but am not sure about the request I need to make in order to receive a positive OK response from the controller.
I have tried making the following requests and all returned with an Error 400 bad request.
GET https://192.168.2.1
GET https://192.168.2.1/api/login?username=admin&password=admin
I have also tried the above without the GET statement and with POST statements as well.
The above requests were done with carriage return and new line characters in the end.
I would really appreciate if someone could help out with the request type that has to be made in order to get that response.
As far as I know, accessing PLC through ajax is not a routine operation. If you can, you can try LECPServer, an open source middleware. It can expose the PLC node address for reading and writing through HTTP POST.
https://github.com/xeden3/LECPServer
Your requests are malformed (that's why you get the 400 response).
It should look like:
GET /path/to/resource/index.html HTTP/1.0
The server (192.168.2.1) and the transport (http vs https) have already been taken care of by the connection. All you're trying to do is tell the device what you want to do. In this case you want to access the login page with your credentials. You also need to specify which version of the protocol to use.
Get /api/login?username=admin&password=admin HTTP/1.0
I am looking at ways to implement a safe client-server communication via HTTPService requests in Flex/Air. The server side is implemented in PHP, whereas the client could be running on a desktop (Air) or on a browser (flex).
The simply usecase that I need help to secure is -
Desktop client sends a request to the server and gets a response
How can I ensure at the server side that the request is being sent from a valid client? From what I could research, Flex doesn't allow for manipulation of request headers so I am failing to manipulate them. All request queries can be seen by using any network monitor, so having a unique (yet static) parameter won't really hit what I am trying to achieve.
On the other hand, the server can be mimicked by simply manipulating the hosts file. At the client end, how can I ensure that I am receiving the response from the actual server and not from an alias added to hosts file
My solution is to encrypt and decrypt data on the both sides.
In the Air data you need to send should be encrypted with as3crypto and send to server where PHP whould decrypt it, Look here in the last post for the working code example decrypt a as3crypto encrypted text in PHP, you can do the same in case of server to client communation.
So you need to keep same Key and IV for both server and client sides, To be more secure you can embed them as binary data in the project http://www.ghostwire.com/blog/archives/as3-embedding-binary-xml/, it's wouldn't be easily viewable for AS3 decompilers, but anyway take for the notice that it might be hacked by the advanced guys.
I have seen many of the posts relating to sending email under linux but they do not address my particular need.
I want to implement code (C/C++) in my linux application that will send me back some kind of notification (in a stealthy way) under a certain program condition. All it needs to send me is less than 50 bytes of status data. The only thing I am guarenteed is that the box will be on a local network which will have access to the Internet via the usual gateway.
One possibility would be to send me a text to my wireless carrier like this:
mynumber#verizon_gateway.com. But that assumes that I have a mail client available on the linux box which is not a guarantee. If I programmed this at the socket layer directly using SMTP I would have to manage a TCP connection which is not what I prefer to do.
Any suggestions of what would be a possible way to send me a notification from my linux app?
Thanks,
-Andres
For email you could use something like SendGrid, specifically their WebAPI - this will allow you to send email with only a HTTP request.
For SMS you could use something like Nexmo, which will allow you to send an SMS with a HTTP request.
Note that you'll have to include your API credentials in the compiled code - a potental security issue (for your credentials).
Disclaimer: I do a bit of developer evangelism for Nexmo.