You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/arduino-cloud/02.features/00.security-considerations/security-considerations.md
+18-18Lines changed: 18 additions & 18 deletions
Original file line number
Diff line number
Diff line change
@@ -121,26 +121,32 @@ If it is determined that a breach has occurred, system(s) or system component(s)
121
121
122
122
PII data will only be stored as long as Arduino legitimately needs it and in accordance with Arduino’s Privacy Policy.
123
123
124
-
## Security Considerations for Specific Arduino Cloud Components
124
+
## Arduino Cloud Applications and Tools
125
125
126
-
### Arduino Cloud CLI
127
-
128
-
The Arduino Cloud CLI provides a way for interacting with the Arduino IoT Cloud via the command line. The communication is carried out via an HTTPS connection and authentication is performed via API key credentials stored on the local machine.
126
+
### Arduino Web Editor
129
127
130
-
###Arduino Cloud Editor
128
+
The Arduino Web Editor allows customers to create sketches they can subsequently deploy on boards. Each customer has a separate area where their sketches are stored so that no other customer has access to them. Sketches can be made publicly available to everyone, in which case access is granted by whomever possesses the link to access them.
131
129
132
-
The Arduino Cloud Editor allows customers to create sketches they can subsequently deploy on boards. Each customer has a separate area where their sketches are stored so that no other customer has access to them. Sketches can be made publicly available to everyone, in which case access is granted by whomever possesses the link to access them.
133
-
134
-
The Arduino Cloud Editor also provides a secret tab that can be used to securely store sensitive information needed by the device (e.g. Wi-Fi credentials, API credentials). Secrets in this tab are encrypted with the AES-256 algorithm to safely store them in the Cloud.
135
-
In order to communicate with the Arduino Cloud Editor, web browsers should be able to communicate over the internet to port 80, 443 and 8080 towards Arduino’s subdomains \*.arduino.cc.
130
+
The Arduino Web Editor also provides a secret tab that can be used to securely store sensitive information needed by the device (e.g. Wi-Fi® credentials, API credentials). Secrets in this tab are encrypted with the AES-256 algorithm to safely store them in the Cloud.
131
+
In order to communicate with the Arduino Web Editor, web browsers should be able to communicate over the internet to port 80, 443 and 8080 towards Arduino’s subdomains \*.arduino.cc.
136
132
137
133
### Arduino IoT Cloud
138
134
139
135
The Arduino IoT Cloud collects MQTT events through a data pipeline which is accessible only by the owner of the data and access authorization is enforced via our backend API.
140
136
141
-
### Arduino Boards Security
137
+
### Arduino Cloud CLI
138
+
139
+
The Arduino Cloud CLI provides a way for interacting with the Arduino IoT Cloud via the command line. The communication is carried out via an HTTPS connection and authentication is performed via API key credentials stored on the local machine.
140
+
141
+
### Arduino Create Agent
142
+
143
+
The Arduino Create Agent fills the gap between your browser and your boards and allows users to deploy their sketches on their board using the Arduino Web Editor. The Arduino Create Agent runs a web server bound to localhost that receives requests from the Arduino Web Editor to operate on the boards. The security of such communication is ensured by cryptographic signature of the commands that are sent to the Arduino Create Agent. Whenever the Arduino Web Editor wants to send a command to the Arduino Create Agent, it cryptographically signs the command and appends the signature to the request sent to the agent. The agent verifies the signature and, if it is correct, accepts and executes the command.
144
+
145
+
For usage with certain browsers, specifically with Safari on macOS, the Arduino Create Agent needs to run the web server using a TLS connection. A local Certificate Authority (CA) is generated and used to sign a certificate for the localhost domain. The private key of the CA is erased once the certificate for localhost is signed, while the public certificate of the CA is installed in the local system. The web server of the Arduino Create Agent will then run with a TLS connection. This is done to obey the mixed content specification implemented in Safari which is enforced also for resources loaded from localhost.
142
146
143
-
#### Device Identity and Secure Communication
147
+
## Security Considerations for Arduino Boards
148
+
149
+
### Device Identity and Secure Communication
144
150
145
151
Devices onboarding and communication with the Arduino Cloud is ensured to protect the confidentiality of the data exchanged between Arduino devices and the Cloud. The following image shows the Device setup phase and the Device operation phase.
146
152
@@ -164,13 +170,7 @@ The device establishes a mutual-TLS authenticated connection with the IoTCloud M
164
170
* The device can establish the identity of the MQTT server it is attempting to connect to;
165
171
To establish such secure connections, devices must be able to connect to *.arduino.cc on port 8884 and 8883.
166
172
167
-
####Secrets Management
173
+
### Secrets Management
168
174
169
175
In order to provide confidentiality and integrity of secrets stored within Arduino boards, a secure element chip is available on a selection of boards that provides hardware level encryption and tamperproofing protection. Integration with the Arduino Cloud leverages such a secure element to store the board certificate used to perform the mutual authentication with the MQTT server. Customers may also leverage the secure element chip to store sensitive information required by the board to operate based on the specific use cases.
170
176
171
-
172
-
### Arduino Create Agent
173
-
174
-
The Arduino Create Agent fills the gap between your browser and your boards and allows users to deploy their sketches on their board using the Arduino Cloud Editor. The Arduino Create Agent runs a web server bound to localhost that receives requests from the Arduino Cloud Editor to operate on the boards. The security of such communication is ensured by cryptographic signature of the commands that are sent to the Arduino Create Agent. Whenever the Arduino Cloud Editor wants to send a command to the Arduino Create Agent, it cryptographically signs the command and appends the signature to the request sent to the agent. The agent verifies the signature and, if it is correct, accepts and executes the command.
175
-
176
-
For usage with certain browsers, specifically with Safari on macOS, the Arduino Create Agent needs to run the web server using a TLS connection. A local Certificate Authority (CA) is generated and used to sign a certificate for the localhost domain. The private key of the CA is erased once the certificate for localhost is signed, while the public certificate of the CA is installed in the local system. The web server of the Arduino Create Agent will then run with a TLS connection. This is done to obey the mixed content specification implemented in Safari which is enforced also for resources loaded from localhost.
0 commit comments