How automate the fingerprints updating of Firebase (Arduino-Master-Library)
I have developed a hardware-based project using esp32 board in ARDUINO, I am using firebase to upload data of sensors to the Firebase realtime database. I am using "firebase-arduino-master" library at the hardware side. The project works fines but after few days fingerprints of Firebase changes periodically which causes me to physically reopen the product enclosure to manually update the new fingerprints in the "firebase-arduino-master" library within the hardware code (Arduino). I'm curious if there's a viable solution or method to automate this fingerprint update process, eliminating the need for frequent physical access to the product.
I have attached a screenshot of firebase-arduino-master library, which clearly indicates the fingerprints. Additionally, I have included a screenshot of the website I use to periodically update the fingerprints in the library.
Screenshot1
....................................................................................................................................................................................................................................................................................
Screenshot2
The certificate thumbprint is used to ensure that the database URL you're connecting to really is the legitimate Firebase database that you think it is, and not a different destination (e.g. hosted by a malicious actor that is getting you to share your data and credentials).
Pinning to a single expected certificate's thumbprint is a simple way to skip implementing the more complicated process of following certificate trust chains. However, this strategy relies on the certificate itself never changing, which is unrealistic (and not recommended) for any modern cloud service.
Furthermore, the firebase-arduino library you're using is no longer actively maintained:
This repository is no longer under active development. No new features will be added and issues are not actively triaged.
The last update to the library (as of November 12, 2023) was over three years ago. Looking at the library's open issues and open pull requests, many of them are in reference to the same thumbprint issue you're having, and all of them have been ignored.
All of these are indications that the library is likely abandoned indefinitely, and you shouldn't take a dependency on it.
So, since the open-source library you're using is abandoned and relies on a certificate verification strategy that isn't reliable, I recommend you choose a different library for your project.
Searching for "Firebase" in the Arduino IDE's Library Manager, I see many options. Which one should you choose? Let's take two examples from that list, (these choices were arbitrary, I have no association or prior experience with either of them), and look at how they deal with the certificate question:
Firebase Arduino Client Library for ESP8266 and ESP32 - This library has been around for about a year (as of November 2023), and appears to be actively maintained. It includes an example for accessing a Firebase real-time database (RTDB) using a trusted root certificate to verify the secure connection. (A root certificate is not expected to be updated frequently at all, the one in the example expires in 2036.) See more details on the README page.
This library appears to be actively maintained and supports TLS certificate verification, both of which are positive points, and reasons you might want to consider this (or a similar) library for your project.
(Name omitted) - This library is very new, and the GitHub repo has only been around for a few days. Because it's so new, there are no issues or pull requests yet, so it's difficult to say if it'll be actively maintained. Taking a closer look at how it deals with secure connections, I see... it doesn't. Instead, it simply turns off certificate verification entirely:
_httpsClient.setInsecure();The fact the library is so new and the fact that it currently skips certificate validation entirely are both indications that the library is not yet mature, and you may want to hold off on taking a dependency just yet.
Note: These are point-in-time observations which could very well be resolved in the future. To keep this answer relevant in the future (and to not unfairly ding a library that is clearly new and in-development) I've omitted the library name and links.
IMPORTANT: Many libraries and examples out there disable certificate verification. In general, is NOT a good idea, and risks introducing important security risks. I recommend you take the time to get this part of your project right early on, and avoid deferring this to later (when you will probably have forgotten about the shortcut you took).
- java.lang.IllegalAccessError: superclass access check failed: class org.jetbrains.kotlin.kapt3.base.javac.KaptJavaCompiler?
- Unable to add Firebase Performance Plugin for the new Android gradle project structure
- How to fix duplication error of GoogleUtilities Swift?
- Firebase Realtime Listener Concept - how to detach / unsubscribe from the listener?
- Google Firebase: How do I "work around" an invalid "issuer" value in my client's OIDC discovery document?
- Firebase Cloud Messaging - FirebaseMessaging.instance.getToken() throwing unknown error
- Firestore JSON parsing terminated
- Firebase cloud messaging HTTP v1 send error - 400 Client Error: Bad Request for url: https://fcm.googleapis.com/v1/projects/<PROJECT_ID>/messages:send
- Do subcollections avoid listener scaling problems that collections have?
- Error: Component auth has not been registered yet - React, NextJs, Firebase auth
- Firebase Storage Rules with Custom Claims
- How to ask for android user permission for Analytics on Flutter
- Firebase web Push notifications is triggered twice when using onBackgroundMessage()
- Firebase Phone Auth isn't sending SMS with code
- Understanding Firestore addSnapshotListener: Does It Return All Matching Documents or Only New Inserts?
- What is the raw format for a Firestore Timestamp
- Issues with Dependencies in Firebase App Hosting and Cloud Functions Deployments for Next.js App
- Firebase Cloud Functions cannot read nitro generated index.mjs file
- Flutter cloud_firestore Filter.or using DocumentReference throws Invalid argument error
- Unable to resolve host "www.googleapis.com":No address associated with hostname Android Studio Messanger Project
- type 'List<Object?>' is not a subtype of type 'PigeonUserDetails?' in type cast
- Is it possible to use Firebase for app user without Google account?
- Firebase Error: Auth error from APNS or Web Push Service
- Make sure to call FirebaseApp.initializeApp(Context) first.Default FirebaseApp is not initialized in this process
- Problem while using Firebase cloud functions in Unity: request data always empty
- The binary version of its metadata is 1.7.1, expected version is 1.5.1. How to Solve?
- Skipping write to Firestore if Anonymous user logic
- How to call await correctly?
- FCM Android Notification sound issue
- Put blank values in a form when I change the name of an input