MagicHat - 22 - Securing everything up

Even if the MagicHat is not sending any sensitive data out on the Internet, it's always important to make communication as secure as possible.

For this reason, I will implement HTTPS communication between the web browser and NodeJS running on Arduino Yun. Since the communication is now encrypted, we can use basic authentication (were password is just Base64 coded, but not encrypted)

To add HTTPS support, we need to:

Install OpenSSL

OpenSSL setup can be downloaded from here. Installation is plain vanilla

Create a self-signed certificate

To create a self-signed certificate, open a command prompt window and type the following commands

set OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf

This commands set the path for the OpenSSL configuration file

openssl req -x509 -newkey rsa:2048 -keyout c:\temp\key.pem -out c:\temp\cert.pem -days 365 -nodes

req: PKCS#10 certificate request and certificate generating utility.

-x509: this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.

-newkey arg this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size.

-keyout filenamethis gives the filename to write the newly created private key to.

-out filename This specifies the output filename to write to or standard output by default.

-days nwhen the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.

-nodesif this option is specified then if a private key is created it will not be encrypted. When this option is not added, NodeJS will ask for the private key's passphrase when the private key is used

Create a server that support HTTPS

The following code creates a server with HTTPS support

var options = {
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('cert.pem')
};

var server = https.createServer(options, app);
server.listen(3000, function(){
  console.log('We have started our server on port 3000');
});

Install NodeJS's basic authentication module

Since a  lot of the middleware was pulled out of the Express core in v4 and put into separate modules, the basic auth module needs to be explicitely installed

npm install basic-auth-connect

Implement basic authentication in node

var basicAuth = require('basic-auth-connect');

// NEW CODE BEGINS HERE

// replace 'user' and 'pass' with your username and password

app.use(basicAuth('user', 'pass'));
//NEWCODE ENDS HERE

app.use(express.static(__dirname));
app.use(express.static('.'));

Client side changes

The only change required on the client side Javascript is to changes the websocket URL from ws://<ipaddress> to wss://<ip address> to use Secure web sockets. if standard web sockets are used, web browsers will raise a security error because you are trying to use an unsafe connection

With  all these changes in place, we can now connect to the MagicHat web interface using HTTPS. Since the certificate is self-signed and not by a trusted certification authority, web browser will complain about that and will warn you about potential risks

By clicking on the"Continue to this website" link, you will be asked for username and password