Why HTTPS is Prevalent in the Modern Internet

Continuing from our previous blog posts, I have been working on designing a REST API for the server back-end for the RFID IOT (internet of things) devices. Currently, we have a MongoDB, with a Mongo Express dashboard, pictured here:

I’ve also been working on the FastAPI backend for this setup. While I was desinging this however, an evil m5 member came up to me, and said, “If you use HTTP, I will Man In the Middle attack your whole IOT cluster, and give myself unlimited points”.

How can I defend myself against him?

By using HTTPS!

The reason HTTP falls short, is that any data transmitted over HTTP isn’t encrypted. This means that anyone, that’s connected to your wifi, can look at data packets that have been sent from your computer. This means, the evil m5 hacker, can read your data packets, which includes the member dependent RFID token, making you loose all your points. Then, he could bypass the once a day limit, giving him unlimited points. That’s really bad!

However, there’s a solution! Using HTTPS. HTTPS uses something called TLS encryption. With this, Om Patel can no longer simply read the data being exchanged from the Raspberry Pi and the m5 server. This would prevent him from changing the request, to give him unlimited points.

However, for TLS to work, we need something called an SSL Certificate. Normally, your browser can download Certificates automatically, from a root Certificate Authority, which is usually organizations that can give certificates to websites that are who they claim they are. By trusting a certificate authority, you automatically can accept HTTPS packets from any website approved by that authority.

However, since our M5 IOT device never connects to the world wide web, we have to create our own Certificate Authority, to make sure that all the Raspberry Pi Picos can exchange information between them and the server. Thus, we will defeat the evil M5 Member