Security
//TODO: Screenshot
Admin User
The web interface of the device can optionally be gated by an administrator username and password combination.
If not set explicitely, this feature is not active and everybody who has network access to the device will be able to read and write configuration and user data (Peripheral status and historical data) from the device.
To activate the username/password authentification, fill out the form fields for
Username, Password, Password (repeat) and click the button. //TODO Field names
// TODO: login!, screenshot
Web interface
Redirect HTTP requests to HTTPS
When checked, the device will force a redirect to all requests to http:// ressources to their https:// version.
Allow read access to dashboard without login
As stated above, if the admin authentication is activated, the device configuration (read and write), as well read access to user data (Peripheral status and historical data) on the dashboard will only be possible after logging in.
By ticking this checkbox, the user data will still be accessible without login.
API-Key
An API-Key is needed for the controlled device with the Box2Box feature, as well as some HTTPS APIs.
Click the button to make the device create an API-Key for this device.
After having generated an API-Key, a and a button will appear.
If you regenerate or delete an API-Key, the old key will be invalid from then on. If you have Box2Box set up, you will have to repeat the process from step 2 of Box2Box: Configuring a controlled device.
Server key and certificate
The web interface of the device is provided by an on device web server, which supports TLS.
To authenticate itself via TLS to connecting clients, a server (private) key and certificate are needed. The device provides a factory default self signed certificate and corresponding key, which gets regenerated after the configuration is reset.
It is also possible for users to upload a custom certificate file and key file on this configuration page, which can be self signed or an actual CA signed certificate with corresponding key for a specific domain, under which the web interface can be reached.
CA certificates
Certificate Authority (CA) certificates are nessecary for TLS encrypted (including HTTPS) connections to external servers, that support TLS.
This is applicable to situations, where the device connects to external servers, as with the Webhooks Box2Box HTTP-Out-Watchdogs features, as long as those connections are configured to use TLS (by specifying the URL protocol as https:// instead of http://).
When browser connect via TLS to a server, they validate the servers authenitcity with the help of CA certificates, that are provided with the browser itself. On successful validation the user sees a lock icon next to the server URL.
This device does not ship with those certificates for memory space reasons. To still be able to verify the authenitcity of a connected server, the user has to provide appropriate CA certificates himself, by uploading them on this configuration page.
Requirements for CA certificates
TLS-Version
1.2
Certificate Key
RSA up to 4096 Bit, as well as ECC NIST P‐256, P‐384, P‐521 etc.
Hash functions for certificate
SHA224, SHA256, SHA384, SHA512
Cipher Suites
ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
ECDHE-ECDSA-WITH-AES-256-CBC-SHA
ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
ECDHE-ECDSA-WITH-AES-128-CBC-SHA
ECDHE-RSA-WITH-AES-256-GCM-SHA384
ECDHE-RSA-WITH-AES-256-CBC-SHA384
ECDHE-RSA-WITH-AES-256-CBC-SHA
ECDHE-RSA-WITH-AES-128-GCM-SHA256
ECDHE-RSA-WITH-AES-128-CBC-SHA256
ECDHE-RSA-WITH-AES-128-CBC-SHA
RSA-WITH-AES-256-GCM-SHA384
RSA-WITH-AES-256-CBC-SHA256
RSA-WITH-AES-256-CBC-SHA
RSA-WITH-AES-128-GCM-SHA256
RSA-WITH-AES-128-CBC-SHA256
RSA-WITH-AES-128-CBC-SHA
// TODO: Screenshots