firebasearduinohttpclientesp32esp8266

How automate the fingerprints updating of Firebase (Arduino-Master-Library)


I have developed a hardware-based project using esp32 board in ARDUINO, I am using firebase to upload data of sensors to the Firebase realtime database. I am using "firebase-arduino-master" library at the hardware side. The project works fines but after few days fingerprints of Firebase changes periodically which causes me to physically reopen the product enclosure to manually update the new fingerprints in the "firebase-arduino-master" library within the hardware code (Arduino). I'm curious if there's a viable solution or method to automate this fingerprint update process, eliminating the need for frequent physical access to the product.

I have attached a screenshot of firebase-arduino-master library, which clearly indicates the fingerprints. Additionally, I have included a screenshot of the website I use to periodically update the fingerprints in the library.

Screenshot1

library screenshot

....................................................................................................................................................................................................................................................................................

Screenshot2

updated fingerprints website screenshot


Solution

  • The certificate thumbprint is used to ensure that the database URL you're connecting to really is the legitimate Firebase database that you think it is, and not a different destination (e.g. hosted by a malicious actor that is getting you to share your data and credentials).

    Pinning to a single expected certificate's thumbprint is a simple way to skip implementing the more complicated process of following certificate trust chains. However, this strategy relies on the certificate itself never changing, which is unrealistic (and not recommended) for any modern cloud service.

    Furthermore, the firebase-arduino library you're using is no longer actively maintained:

    This repository is no longer under active development. No new features will be added and issues are not actively triaged.

    The last update to the library (as of November 12, 2023) was over three years ago. Looking at the library's open issues and open pull requests, many of them are in reference to the same thumbprint issue you're having, and all of them have been ignored.

    All of these are indications that the library is likely abandoned indefinitely, and you shouldn't take a dependency on it.

    So, since the open-source library you're using is abandoned and relies on a certificate verification strategy that isn't reliable, I recommend you choose a different library for your project.

    Searching for "Firebase" in the Arduino IDE's Library Manager, I see many options. Which one should you choose? Let's take two examples from that list, (these choices were arbitrary, I have no association or prior experience with either of them), and look at how they deal with the certificate question:

    IMPORTANT: Many libraries and examples out there disable certificate verification. In general, is NOT a good idea, and risks introducing important security risks. I recommend you take the time to get this part of your project right early on, and avoid deferring this to later (when you will probably have forgotten about the shortcut you took).