Add relaxed mode security to internal web pages

[melkati]

Feature in Roadmap: "Add Relaxed Mode Security to Internal Web Pages"

Overview: The "Add Relaxed Mode Security to Internal Web Pages" feature aims to enhance the security and flexibility of CO2 Gadget's internal web pages, providing users with more control over their preferences and settings.

Background: Recent feedback from users highlighted issues with the JSON for loading preferences and connecting to MQTT, particularly concerning password management. While security measures are crucial, users also desire convenience and ease of use. (Link to our private Alpha and Beta tester Telegram group with the request https://t.me/c/2135172956/563)

Proposal: To address these concerns, we plan to introduce a "relaxed mode" security option to internal web pages. This feature will allow users to toggle between standard security measures and a more flexible mode that enables viewing, editing, and saving of passwords directly from the web interface.

Key Points:

• User Control: The "relaxed mode" security option will empower users to manage their preferences and settings more conveniently, without compromising security.
• Flexibility: By implementing a "secret parameter" in preferences.html (such as "preferences.html?relaxedSecurity"), users can opt-in to relaxed security measures as needed.
• Password Encryption: While enabling password management via JSON format is on the roadmap, implementing encryption presents technical challenges. However, we are exploring solutions to ensure data security.
• Roadmap Integration: This feature aligns with our roadmap's goal of enhancing authentication (user and password) for internal web pages, ensuring a seamless and secure user experience.

Next Steps:

• Explore implementation options for the "relaxed mode" security feature, considering user feedback and technical feasibility.
• Continue refining security measures to strike a balance between usability and data protection.
• Collaborate with the development team to integrate this feature into upcoming releases.

Your feedback and insights are invaluable as we work towards delivering a more secure and user-friendly experience with CO2 Gadget. If you have any further suggestions or concerns, please don't hesitate to reach out.

[Olaruci]

Yes the relaxed mode sounds good and maybe more easy to do then encrypting. Especially for MQTT where we are recommended to use a dedicated user with local access just for Mosquitto I think it can't do much even if the password gets exposed. For WIFI it's ok to be hidden.

[melkati]

Yes the relaxed mode sounds good and maybe more easy to do then encrypting. Especially for MQTT where we are recommended to use a dedicated user with local access just for Mosquitto I think it can't do much even if the password gets exposed. For WIFI it's ok to be hidden.

Got it, Ola. Your point about potentially different approaches for WiFi and MQTT passwords makes sense. However, to keep things simple and easy to manage for all users, I think it's important to maintain consistency in our implementation.

Having a "one size fits all" approach with the same treatment for both WiFi and MQTT passwords could streamline the user experience and reduce complexity. While WiFi passwords may require additional security measures, ensuring consistency across the board can simplify the overall usage and management of passwords within the system.

Let's aim for a solution that strikes the right balance between security and usability for all users. Thanks for bringing up this important consideration!

[melkati]

I just finish implementing this on CO2 Gadget Beta v0.12.072-development I will later implement, when it's more tested, light encryption to passwords (in transit and at rest)

For the moment the parameter "relaxedSecurity" will be keep undocumented