Hello,
I just manually upgraded my openSPOT2 to v80 but I am seeing disturbing warnings in the log of the form:
httpcln warn: ca dst-root-ca-x3.der load
Let's Encrypt migrated their root certificate authority from the DST certs to the new ISRG certs in September of 2021.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021
/
Your firmware changelog does not provide any release date information, so I don't know when v80 came out, but I would have hoped that the most recent firmware update would also have updated the root certificates.
I'm assuming that the openSPOT products always use TLS encrypted sessions when doing things like fetching firmware updates or transactions with the SharkRF backend.
(Note: Your instructions that pop up when the firmware version on the openSPOT 2 requires a manual update appear to provide a download link that is not via TLS (HTTPS). You might want to fix this when you find a moment.)
A large number of small Internet-connected devices that been suborned in recent years to do nefarious things like spread malware, generate massive quantities of denial-of-service traffic, and surveil networks. Connecting anything to the Internet these days without encryption on the administrative sessions is what many of us would call "a deal breaker" for anyone concerned with the integrity of their network and other computers.
What's the plan and timeframe for updating the root CA certs on these products?
Absent that, would someone at SharkRF be so kind as to provide some guidance as to how to do it ourselves?
If I have to reverse engineer a firmware image and insert new certificates myself, I'll do it, but that wouldn't be my first choice.
Your products are a rare embodiment of engineering elegance and pleasant user experience. This is the first aspect of your products with which I've ever been disappointed. I'm hoping we can rectify this quickly. Thank you in advance for your help!
73
--Robert, W4CUB
P.S. I've been doing the cybersecurity thing since before we used that name for it. If I may be of some assistance to the SharkRF team with regard to product security, please feel free to reach out.