Hi there!DougieLawson wrote:What does it give me that I can't already do with Weaved IoT?
Hi again!Heater wrote:There is nothing that will help with trust unless I can put ssh keys on my Pi, or whatever device, such that I know whoever is relaying the communication cannot be a man in the middle.
It's a big problem.
As it happens I am just now playing with the services of resin.io to deploy code to remote devices and get access to them over 3G. There is the issue of trust there as well. But I think resin has a somewhat different use case in mind than you do. My first test of resin is here: https://bccbb0d6f38d1c3dec17eaeddc73710 ... device.io/
Otherwise I have access to Pi's via a terminal interface in the browser that comes via a Google cloud instance and a web socket connection from the remote Pi. Again I have to trust Google as the man in the middle.
You are right VPNs are a pain to set up.
Possibly you have a great idea there. I'll give it a try.
Pretty much a hole-in-one. So you install the client (see the Github link above for the code), then the client starts up and opens a websocket connection to the dataplicity servers (client initiated, hence why VPN and dyndns etc are not needed). The servers present a website which include a web based terminal. End to end is HTTPS, and there are no ports opened on the Pi itself.Heater wrote:Elliot_M,
Actually, perhaps you could outline how this works. From what you have said I gather something has to be installed on the Pi to initiate that websocket connection back to your server(s). Then a user visits your site via a web browser and gets a terminal connection to their Pi.
I don't use Weaved. I've got a few ports forwarded on my router and that lets me use ssh or OpenVPN from anywhere in the public internet using one of my machines preloaded with an ssh key and/or my OpenVPN ca.crt and client.crt / client.key. One of my systems has a tunnelled public IPv6 address(because I trust http://he.com). If I connect to my OpenVPN I get a remote IPv6 address routed through my server.Elliot_M wrote: As an existing user of weaved, I'd be interested to know what features of weaved you actually use? I have a bunch of things lined up but it would be great to get some feedback as to which features are actually most useful to people.
Thanks so much for your suggestionsHeater wrote:Hmmm...
So given that we can get a byte stream from local PC to remote Pi using HTTP and web sockets via servers from Dataplicity or Resin or whatever, then all we need is a way of establishing secure communications from end to end using public key encryption, HTTPS style. In that way the provider of the server in the middle would not need to be trusted any more than we trust the many hops that our HTTPS or VPN traffic runs over.
The PC end of this link would need to not be a web browser running JS provided by the server operator but that is easily done especially with tools like node.js.
Is there such a SSL/TLS style system that will work over any old byte stream, not dependant on TCP/IP ?
The encryption is HTTPS websockets from browser to dataplicity server, then again from server to device. dataplicity forwards the traffic in the middle, but doesn't store it after forwarding. We do store system stats like disk space, memory usage etc so we can also display those data points in your account.Heater wrote:end-to-end? From a user perspective it's only encrypted from end to middle, the Dataplicity servers. After that we have no idea what is going on.
The code is here for all to see: github.com/wildfoundry/dataplicity. It's a modified BSD licence, so you can modify it yourself if you wish The documentation thus far is a bit patchy, but it's improving as time permitsHeater wrote:Similarly, what about the client code running in the Pi. How can we trust it if it comes from Dataplicity?
I'm really appreciative of the fact that you are voicing your concerns I will be working through these comments and see where we can improve.Heater wrote:I'm not suggesting that you have any intention of snooping on your users or taking over their systems for doggy purposes. Just exploring the security issues here.
what password?Elliot_M wrote:dataplicity client now runs as an unprivileged user on your Pi. This means the shell will only open as an unprivileged shell: if you want superuser you have to type 'su' and enter your password for superuser.
yes, as for some not basic terminal tools ( like mc, wcd.. ) and for usual user settings '.bash_aliases'Elliot_M wrote:your preference would be if we created the home directory automatically?
thanks @Elliot_MElliot_M wrote:So type 'su pi' and after pressing enter, type the password for the 'pi' account.
___________________________________________________________________Elliot_M wrote:for recent installs the dataplicity client now runs as an unprivileged user on your Pi. This means the shell will only open as an unprivileged shell: if you want superuser you have to type 'su' and enter your password for superuser.
so now i understand that you provide a terminal to my RPI in a browser.Easy access via browser
Log in to Dataplicity, select the device you want and access your remote shell. It's that simple!
The binary blob in the Pi that they do not want to remove yet is making your Pi communicate with the NSA.Heater wrote:As far as the "keep-alive" data usage goes. In one hour, with the terminal open in the browser and no other activity going on I saw 700KB come in on my Pi's WIFI interface and 11MB going out.
That's like 3KBytes per second!
What on Earth is it doing?