Manualshelf

Data Sheet

ManualsBrandsDevantech ManualsRelay & LED ControllersdS1242 - 16A 2 Channel Ethernet Relay & IO Board
41424344454647484950
dScript
dScript User Manual v2.15
Web page security
Now that you can control your module from any browser on any PC/Laptop/Tablet/Phone from
anywhere on the planet, what is to stop anyone who knows your incoming IP address from
opening your gates, turning lights on or your heating off and generally messing up your life?
Well one way is to change the web page file name from "index.htm" to something harder to
guess. How about "EyRz2G5xXu94e.htm". This is almost like using the file name itself as a
kind of password. Actually this is pretty good security and I recommend you use it. It is called
"security by obscurity", but on its own is still not quite good enough. It is not safe from the so
called "man in the middle" attack. This could be when using a cafe/hotel wifi. The web traffic
could be monitored and your page name become visible: no more security. Even someone
looking over your shoulder could be enough to compromise security.
Web pages could be secured with a password. However unless an SSL connection is used, that
password is transferred as plain text and offers no real protection. We could use password/SSL
in combination. That would be secure, but at the cost of huge inconvenience.
1. The SSL firmware would add extra cost to every module.
2. You would need to purchase a secure certificate for every module, or use a self signed
certificate and dismiss the browser warning every time.
3. Every time, you would still have to enter your username and password.
We wanted a solution that did not add cost or inconvenience to the operator. One where you,
and only you, can go straight to the web page and view status or make changes.
Our solution is to store a password on your browser. Only your device/browser combination
can access the web pages. In operation this password is never transferred over the network.
The server sends three independent random numbers which select three random characters
from the password, these are hashed and the hash stored as a cookie. It is this cookie that
enables the web page to be displayed, the cookie is then deleted when the browser is closed
and also invalidated by the server after a few seconds of inactivity or when you log out. Your
web page will likely be updating variables continuously so the page will stay alive as long as
you are viewing it.
To add security to our simple web page, add the following to the dScript program header
section:
html.password "bQq#dm@$%^5*xZ5tY0wN!fi38H_Y3"
The password can be anything you want from the ASCII character set in the range 32-126
(0x20-0x7E) excluding " which is the string terminator, and up to 200 characters in length.
With the password in place all requests for pages will require authorisation. If your browser
has the password stored in it, the page will be served. If not, then you will see a page which
says you are not authorised to view it.
Copyright © 2016, Devantech Ltd.
All rights reserved.
www.robot-electronics.co.uk
45