My experience with self signed certs is not that great. Browsers don't like them and balk at accepting them. When added to the keyring, they disappear after a while (maybe an upgrade messes with them?) and just create lots of issues when accessing a site. I would prefer some other encryption method that can be set up and used without a lot of fiddling every time a user wants to use them. Mark On Tue, Dec 19, 2023 at 3:04 AM Anthony Radzykewycz < anthony.radzykewycz@gatewaycc.edu> wrote: > It’d be my understanding that the AP would handle encryption over the air. > If you wanted the web traffic to also be encrypted, I think the self-signed > SSL certificates would suffice in this given application. To sniff that > traffic, the attacker would have to be on the same network, as well, so > guarding the AP with the aforementioned controls should prevent that. > Presuming they did get in, capturing https traffic would be encrypted vs > the plaintext counterpart of http. > > On Mon, Dec 18, 2023 at 11:04 PM Mark Phillips > wrote: > >> Thanks, Anthony. I will see if the tp-link has a white list capability. >> If not, I will look into another AP device. >> >> There is another safety feature I forgot to mention. A physical disarm >> switch on the launcher, so the ignition circuit is disabled when it is >> engaged. However, one can forget to do that (maybe only once!), but I also >> don't want an attacker launching the rocket at any point. >> >> Is there anyway to encrypt the traffic between the cell phone and the web >> server on the Pi? To prevent someone from monitoring the various passwords? >> >> Mark >> >> On Mon, Dec 18, 2023, 10:35 PM Anthony Radzykewycz via PLUG-discuss < >> plug-discuss@lists.phxlinux.org> wrote: >> >>> That sounds pretty neat. Something you may want to add is a whitelist of >>> allowed devices to the AP. That way, they’d also have to spoof your MAC >>> (not impossible, but makes it harder). Other than that, it sounds like you >>> are definitely doing the right thing in your defense in depth approach. >>> >>> On Mon, Dec 18, 2023 at 10:25 PM Mark Phillips via PLUG-discuss < >>> plug-discuss@lists.phxlinux.org> wrote: >>> >>>> I am working on a project and need some security advice. >>>> >>>> The project is a wireless model rocket launcher. It consists of a >>>> Raspberry Pi 2 W (Debian Buster) connected to a daughter board >>>> with circuitry to control the current to ignite the igniter, a TP-Link Wifi >>>> AP, and a cell phone. There is a web site (apache and flask) running on the >>>> Pi that allows the user to control the circuits on the daughter board to >>>> launch the rocket. >>>> >>>> The typical location for launching the rockets is in a large field far >>>> from any buildings or trees. Typically, there is no Internet connectivity >>>> even on cell phones, but there are quite a few people attending the launch. >>>> There are also times when this launcher will be used in a more urban >>>> environment (like a high school), and I want to make the system >>>> "unattractive" to the high school students who think it would be cool to >>>> hack the launcher during a launch. >>>> >>>> I want to set up some sort of secure connection between the cell phone >>>> and the web site running on the Pi. My main concern is an attacker >>>> connecting to the web site and igniting the rocket while the user is >>>> connecting the wires to the igniter. Model rocket motors generate an >>>> exhaust gas with a temperature of ~3,000 F. Also, the igniter needs 2-4 A >>>> dc for 300 - 500 msec to ignite the rocket motor. >>>> >>>> I thought about SSL, but I would have to use a self signed certificate >>>> (assuming no Internet), and I have read that it is not that secure. I am >>>> using a long password to access the AP, a password protected login to the >>>> web site, and another password as a launch key to enable the igniter >>>> circuit and launch the rocket. >>>> >>>> I am not a network security guru, so I am not really sure what my >>>> options are. Do you have any other suggestions on how I can make this >>>> system more secure? >>>> >>>> Thanks! >>>> >>>> Mark >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>