Is the OTA update secure?
Posted: Sat Aug 26, 2017 6:13 pmI'm just looking into the OTA update capabilities - especially the one where the ESP gets its new file from an external server.
In essence it seems to be a simple binary download from that server. That server may or may not take into account the header lines from the ESP request. However it seems all to be done via HTTP (not HTTPS).
That means the ESP can't be sure (or check) that it talks to the correct update server and any credentials and passwords in the sketch (e.g. the one for the Wifi access point) are transmitted in the clear over the network.
Given the fact that ESP can handle encrypted connections to web servers is this not true for OTA updates? Am I missing something?
In essence it seems to be a simple binary download from that server. That server may or may not take into account the header lines from the ESP request. However it seems all to be done via HTTP (not HTTPS).
That means the ESP can't be sure (or check) that it talks to the correct update server and any credentials and passwords in the sketch (e.g. the one for the Wifi access point) are transmitted in the clear over the network.
Given the fact that ESP can handle encrypted connections to web servers is this not true for OTA updates? Am I missing something?