[GH-ISSUE #453] Encrypted key exchange #382

New issue

Closed

opened 2026-02-28 01:25:03 +03:00 by kerem · 3 comments

kerem commented

2026-02-28 01:25:03 +03:00

Owner

Originally created by @ThomasDevoogdt on GitHub (Nov 8, 2017).
Original GitHub issue: https://github.com/tzapu/WiFiManager/issues/453

Are there plans to make the key exchange from web app to the esp8266 secure?
I'm thinking on a Diffie-Hellman key exchange. For the moment it's extremely simple to capture the wifi password that the user has provided.
(https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)

Originally created by @ThomasDevoogdt on GitHub (Nov 8, 2017). Original GitHub issue: https://github.com/tzapu/WiFiManager/issues/453 Are there plans to make the key exchange from web app to the esp8266 secure? I'm thinking on a Diffie-Hellman key exchange. For the moment it's extremely simple to capture the wifi password that the user has provided. (https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)

kerem

2026-02-28 01:25:03 +03:00

closed this issue
added the
enhancement

Discussion
labels

kerem commented

2026-02-28 01:25:03 +03:00

Author

Owner

@tablatronix commented on GitHub (Nov 11, 2017):

I assume you are mostly concerned with open auth mode ? Or are using lots of modules with a known or public password?

That would require a c++ lib and a javascript library, both which are probably huge in comparison.

How about rot13 and nonces ? I mean there is no absolute secure way of client side encyption without using tls.

There has been some discussion of swapping out httpd for the async webserver, which allegedly supports tls, but this would have to be optional compile flag, since it is probably also larger.

@tablatronix commented on GitHub (Nov 11, 2017): I assume you are mostly concerned with open auth mode ? Or are using lots of modules with a known or public password? That would require a c++ lib and a javascript library, both which are probably huge in comparison. How about rot13 and nonces ? I mean there is no absolute secure way of client side encyption without using tls. There has been some discussion of swapping out httpd for the async webserver, which allegedly supports tls, but this would have to be optional compile flag, since it is probably also larger.

kerem commented

2026-02-28 01:25:03 +03:00

Author

Owner

@tablatronix commented on GitHub (Nov 11, 2017):

refs
https://github.com/dchest/tweetnacl-js

@tablatronix commented on GitHub (Nov 11, 2017): refs https://github.com/dchest/tweetnacl-js

kerem commented

2026-02-28 01:25:03 +03:00

Author

Owner

@ThomasDevoogdt commented on GitHub (Nov 12, 2017):

These are indeed the two cases where I had some concerns (open auth or when using a lot of modules). You have indeed a point that these would require additional libraries which are stored on the ESP. When you are talking about rot13 or other techniques, I'm just thinking that it's smarter to not return the password in a plain URL request but as a POST payload. Because people could see it when you are configuring it.

This weekend I adapted the library a bit so it can work with ESPAsyncWebServer. Now I'm loading the WiFiManager as an Iframe in a custom web page. And the page is hosted on the internal ESP storage. I had even success on including a video. So I think that space is in some cases no problem. Maybe It should be a possibility to store these JavaScript files there?

Here's some result.

@ThomasDevoogdt commented on GitHub (Nov 12, 2017): These are indeed the two cases where I had some concerns (open auth or when using a lot of modules). You have indeed a point that these would require additional libraries which are stored on the ESP. When you are talking about rot13 or other techniques, I'm just thinking that it's smarter to not return the password in a plain URL request but as a POST payload. Because people could see it when you are configuring it. This weekend I adapted the library a bit so it can work with [ESPAsyncWebServer](https://github.com/me-no-dev/ESPAsyncWebServer). Now I'm loading the WiFiManager as an Iframe in a custom web page. And the page is hosted on the internal ESP storage. I had even success on including a video. So I think that space is in some cases no problem. Maybe It should be a possibility to store these JavaScript files there? Here's some result. ![2017-11-11-23-17-52](https://user-images.githubusercontent.com/8782469/32702397-e542769c-c7e6-11e7-9235-a08d4a54193b.png)