If you use an embedded web server for device management, you may have noticed that browser vendors flag non-SSL/TLS-enabled web servers as insecure. This means that more and more device manufacturers are transitioning to HTTPS to ensure secure communication. It is important to know the challenges of providing trusted, secure communication. Without trust, it's easy for anyone to hack your server. In this article, we'll explore the challenges of establishing trust and how to provide simple, hassle-free solutions to ensure the security of your embedded web server.
If you are already using a TLS-enabled web server, you know firsthand the challenges of configuring a certificate solution that does not trigger a red flag in the browser. If you are not using TLS yet, be prepared for a few surprises when you enable it for your embedded web server solution. While TLS is often thought of as a way to encrypt communication between the web browser and web server, it is essential to remember that trust is also a key component.
If the browser cannot trust the server, the encryption provided by TLS becomes irrelevant.
That is why web browsers show a warning when a web server returns a non-trusted SSL certificate. In the figure below, you can see an example of the warning that appears in the web browser when this happens.
For a web browser to trust a TLS-enabled web server, the following criteria must be met:
 The client computers, including PCs, tablets, and phones, must have the Certificate Authority (CA) certificate stored in the Certificate Store. A web server is not trusted if the CA that signed the server's certificate is not pre-installed in the Certificate Store. To better understand the Certificate Store, view the pre-installed CA certificates on your computer; for example, on Windows, run the command certmgr.msc to open the Certificate Store. See the article Introduction to PKI for details.
You are probably at this point getting the picture that this is not so easy to manage for embedded devices. Maybe you already sell a TLS-enabled product and simply push this problem to your end customer(s); however, it is virtually impossible for non-technical users to get this working. As we mentioned above, using a non-trusted HTTPS connection is no more secure than using a non-secure HTTP connection. The reason for this is that the browser cannot distinguish between a man in the middle and the real device if the web browser is unable to trust the embedded web server.
If your customers are super techies, they may elect to be their own Certificate Authority; however, the administrative work involved, even for SSL experts, is just enormous. In any event, your product would look much more professional if you could provide a solution that completely automates certificate management. What you need is a solution that enables your customers to browse to their newly purchased devices without getting any errors in the browser.
Thanks to the new Certificate Authority Let's Encrypt, it is now possible to completely automate the installation of free and trusted certificates for web servers deployed within private networks. However, Let's Encrypt requires the use of a new security protocol for its automated certificate management. In addition, a DNS service for private web servers must be used together with the Let's Encrypt service.
We provide two products that enable the automatic installation of Let's Encrypt signed certificates for private web servers.
No matter what your background or project goals, we're here to help you find the perfect solution! Are you a maker looking for the right tools? A startup trying to get off the ground? A large business seeking new software solutions? We've got you covered.
If you have any questions or just aren't sure which product is right for you, don't hesitate to reach out. Our team is dedicated to helping you overcome your hardware/software challenges and find the best solution for your needs. Let us know how we can help - we'd love to lend a hand!
Expedite your IoT and edge computing development with the "Barracuda App Server Network Library", a compact client/server multi-protocol stack and toolkit with an efficient integrated scripting engine. Includes Industrial Protocols, MQTT client, SMQ broker, WebSocket client & server, REST, AJAX, XML, and more. The Barracuda App Server is a programmable, secure, and intelligent IoT toolkit that fits a wide range of hardware options.
SharkSSL is the smallest, fastest, and best performing embedded TLS stack with optimized ciphers made by Real Time Logic. SharkSSL includes many secure IoT protocols.
SMQ lets developers quickly and inexpensively deliver world-class management functionality for their products. SMQ is an enterprise ready IoT protocol that enables easier control and management of products on a massive scale.
SharkMQTT is a super small secure MQTT client with integrated TLS stack. SharkMQTT easily fits in tiny microcontrollers.
An easy to use OPC UA stack that enables bridging of OPC-UA enabled industrial products with cloud services, IT, and HTML5 user interfaces.
Use our user programmable Edge-Controller as a tool to accelerate development of the next generation industrial edge products and to facilitate rapid IoT and IIoT development.
Learn how to use the Barracuda App Server as your On-Premises IoT Foundation.
The compact Web Server C library is included in the Barracuda App Server protocol suite but can also be used standalone.
The tiny Minnow Server enables modern web server user interfaces to be used as the graphical front end for tiny microcontrollers. Make sure to check out the reference design and the Minnow Server design guide.
Why use FTP when you can use your device as a secure network drive.
PikeHTTP is a compact and secure HTTP client C library that greatly simplifies the design of HTTP/REST style apps in C or C++.
The embedded WebSocket C library lets developers design tiny and secure IoT applications based on the WebSocket protocol.
Send alarms and other notifications from any microcontroller powered product.
The RayCrypto engine is an extremely small and fast embedded crypto library designed specifically for embedded resource-constrained devices.
Real Time Logic's SharkTrust™ service is an automatic Public Key Infrastructure (PKI) solution for products containing an Embedded Web Server.
The Modbus client enables bridging of Modbus enabled industrial products with modern IoT devices and HTML5 powered HMIs.