TLS 1.3. Its new, its shiny, its much better.And its supported by nginx 1.13 which is part of the backend of this blog.

It was a bit of work to get a perfect score on ssllabs test (as below), and here’s how I did it.

First, the server supports a bunch of different ‘sites’ (each is a different host name, and thus a different SNI). I used Let’s Encrypt for the certificates. To make matters simple for config, I created a single include file with all the SSL parameters:

ssl_protocols TLSv1.3 TLSv1.2;

ssl_certificate /etc/letsencrypt/live/donbowman.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/donbowman.ca/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/donbowman.ca/fullchain.pem;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=600s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63073000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

I then included this in each file:

server {
    listen 0.0.0.0:443 ssl http2;
    server_name blog.donbowman.ca;

    include don-tls.conf;

 ...

like so.

So the vac was let loose in a few rooms on the main floor. It uses a laser-ranging dome augmented with sonar. You can see its estimation of my livingroom and kitchen below. The obstacles are things like couches, tables, stairs, fireplaces, etc. its actually quite accurate, the long thin bit is the hall down towards my pool, and its actually 90 degrees, not angled as shown, but… Close enough.

For this experiment it was denied access to the sunroom (top left) and sonya’s office (centre right).

Examining the telemetry it wants to share with ‘the cloud’, there is some ‘hadoop.aws’ type hostnames that are kind of obvious.

A little bit of hackery and its token was extracted, it was introduced to homeassistant (the magical ball of python which runs my gadgets), and the SSID it operates on was removed from Internet access. So now i can control it, and get push notifications when ‘dusty’ gets trapped, but the ‘cloud’ has no more visibility. ps my cat is not brave enough to ride it (yet). But I will leave a video at the end of what I assume will be happening in my house later this week when I’m not around.

When I was a kid electronics were something you saved your meagre earnings to splurge on at Active Electronics. A breadboard, a z80, that was 2 months sweat. You’d get a little baggie with a pink foam and black chip in it. A couple of Forrest Mims notebooks and you were off. This was technically not pre-Internet, but it was pre-Internet for me for sure [ ~1982].

Fast forward to now, its science-fiction. Check out the below. $4 including postage, it arrives at my home. Its a bit smaller than a sim-card [those are 5mm grids]. And its Internet wifi enabled and will run python. This enables anyone to get in the game and start IoT-ising their universe. Want to make your garage door opener smart?  Get an HC-SR04 for $1 from Aliexpress [to see when the door is open vs closed], a 3.3V powersupply, and solder to your ‘button’, you are done.

Now, I run Home Assistant and MQTT (Mosquito). This makes it really simple to have sensors, automation everywhere, with a simple web interface to see what it decided you needed.

So, back to the IoT and security and the enemy. $5 and a couple of hours, and i have my garage door ready to be opened from anywhere in the world. Of course i spent the time to give it strong auth and good encryption right? What if i had bought this as a kit, what sw would have been in that widget? Would it have been like the sous-vide?

This ESP8266 family is a great enabler. There is no excuse for anything not having an IP address now as far as I can see. And its strong enough you can secure it. But will you?

So the other day I bought a google home. This provides a standalone device with the google assistant (which also lives on my phones and tablets).

I run ‘homeassistant.io‘ which allows me to manage some of the various and sundry things around my house. E.g. turn lights on, whatever.

OK, now I’d like to introduce the one to the other. The platform of choice for this is ‘IFTTT‘ (If This Then That, pronounced like gift without the g).

I would also like to be able to push notifications from it to my devices. The platform of choice for that is Google Cloud Management (gcm) push notification, integrated with homeassistant.io via the ‘notify.html5’ method.

Wow, this was much easier than I thought. No programming is needed, a few simple web clicks. And now i can turn my lights on and off by voice from anywhere in the world.

This ‘ifttt’ platform is a lot like SandScript. “If this then That”, hey, that is SandScript in a nuthshell. It allows inbound ‘conditions’ and outbound ‘actions’, its a cloud-based policy control system!

It was the work of moments to hook in that little KanKun switch. And those ESP8266 devices which are $5 or so are easy too.

They’ve been working on the problem of the “OK Google” and a bunch of devices wake up problem. Its not perfect yet, but better. If my phone & tablet and ‘home’ are in the same room, usually only the ‘home’ will wake up.

Now, for security. There are API keys everywhere here, and OAUTH2. The security model is they all meet outside my house (that is, until I start hooking the mqtt ones up, for that i’ll run a local broker I guess).

The Xiaomi robot vacuum joined my household last night. It wasn’t too complex to switch the voice pack over to English (it has ~50 Chinese voices, but only 1 English, and you have to be able to read Chinese to find it).

Once setup (the app has every permission possible on Android!), dirt patrol began. It uses an ultrasonic/radar/laser dome to map out your house, and you can see this map grow in real time. My cat kept a close watch the entire time!

Now, on to the network security. Of course this was put on the IoT SSID. it has a fair bit of chatter to the internet (hadoop on amazon is the biggest). A little bit of hacking, and its token was yielded, allowing it to integrate with homeassistant.io.

Interestingly, it has no open ports on the unit (it does maintain persistent outbound connections to the cloud). Have to do a bit more research. But for sure its sharing a map of my house, and when I’m home, w/ the cloud.