Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Secure Raspberry Pi IOT with HTTPS - stop hackers with Wireshark demo

Understand how encryption is used to turn an insecure http web browser request into a secure https encrypted session. See how a hacker armed with wireshark could sniff / monitor the traffic to steal passwords using http post commands.

Then see how you can configure Nginx with encryption and a self-signed certificate allowing you secure access to your IoT web application. It shows how this could prevent a hacker that could otherwise sniff the password using the wireshark tool. This is the basis of a project that I'm working on for my Penguin Tutor project securing a maker project iot server created in Python Flask.

Transcript: Secure Raspberry Pi IOT with HTTPS - stop hackers with Wireshark demo - Video Transcript

In this example NGINX is setup as a basic web server, but in my IoT project it will use Nginx as a reverse proxy providing Internet access to a client using Let's Encrypt signed certificates.

The video first shows how to setup nginx as a standard http webserver. It then shows how to create your own self signed certificate using openssl and how you can add that to the Nginx configuration to create a secure session. The browser does give a warning about the certificate not being signed by a certificate authority, but allows you to access the website with encryption. Using a certificate signed by a genuine certificate authority (including Let's Encrypt) would help to remove that warning message.

It also shows how you can use wireshark capture filters to restrict the data collected and how that compares with wireshark display filters which only hide the packets that are not relevant.

Please note that Wireshark should only be used against systems where you have appropriate permissions. Always act responsibly with any data you capture.

Commands and configuration

Location of the default path: /var/www/html

Install PHP: sudo apt install php-fpm

Location of php.ini file (note different versions use different path): /etc/php/7.4/fpm/php.ini

Create SSL key
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Create Diffe-Hellman group:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Nginx config for SSL port 443:

listen [::]:443 ssl ipv6only=on;

listen 443 ssl;

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

ssl_dhparam /etc/ssl/certs/dhparam.pem;



ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_session_cache shared:le_nginx_SSL:1m;

ssl_session_timeout 1440m;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

Nginx redirect port 80 to port 443 (you may need to change IP addresses):

server {

    if ($host = 192.168.0.185) {

        return 301 https://$host$request_uri;

    }

        listen 80 default_server;

        listen [::]:80 default_server;



        server_name 192.168.0.185

    return 404;

}

Test a nginx config: sudo nginx -t

For more details about how cryptography and encryption see the following guides:

Previous Web Encryption & Certificates
Web Encryption & Certificates
Next Application Security Testing
Application Security Testing