Skip to content

ESP8266httpUpdate: How to ensure correct/valid update-file? #3412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tuxedo0801 opened this issue Jul 11, 2017 · 3 comments
Closed

ESP8266httpUpdate: How to ensure correct/valid update-file? #3412

tuxedo0801 opened this issue Jul 11, 2017 · 3 comments

Comments

@tuxedo0801
Copy link
Contributor

Hi there,
how do I prevent the http-ota-update from downloading a wrong/invalid firmware file?

Of course there is a MD5 check available. But what about a file-download which get's intercepted/redirected to a kind of malware source? The esp will download the "wrong" file, checks the file integrity with help of MD5 sum and will finally update with the malicious firmware...

Is there a https-example for http-ota-update somewhere?
Has anyone thought about signing the firmware-file? --> would be independant from https/ssl/tls/...

br,
Alex
@tuxedo0801
Copy link
Contributor Author

Just found this: #3105

@WheresWally
Copy link

Ok, I have been wondering about this for a while. I would not like to see a take over of ESP/Arduino cores via updater

@earlephilhower
Copy link
Collaborator

#5213 closed this with full crypto-signed update support, if you enable it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@earlephilhower @tuxedo0801 @WheresWally