When accessing Slideshow’s web interface using a web browser on your computer, you might get a screen like this:
If you would like to know what this screen means, whether there is any security risk and what can be done with it, this article is for you.
What is HTTPS?
When a web browser (Chrome, Edge, Firefox or a different one) on your computers is communicating with a web server (google.com, slideshow.digital or embedded web server in Slideshow app), it uses Hypertext Transfer Protocol (HTTP). This protocol doesn’t encrypt data by default, so it is not secure and it might be vulnerable to attacks such as man-in-the-middle (also known as eavesdropping). Although it is usually not a huge issue when the communication is just on a private network, it is a big deal while connected to a public WiFi or logging in to an account on any website.
HTTPS is a secured variant of HTTP, which encrypts all traffic between your web browser and web server. By encrypting the data it solves the main security issue of HTTP protocol – no third party can read or modify the data.
You can check whether you are connecting to a web server using HTTP or HTTPS protocol by checking the address line in your browser. For example, both http://slideshow.digital and https://slideshow.digital point to the same web server, but the first address is using HTTP protocol (not secured) and the second one is using HTTPS protocol (secured). Most web servers nowadays are set up to make an automatic redirect from HTTP to HTTPS for additional security.
In order to establish secured and encrypted communication between web browser and web server, the web server must have a certificate issued by trusted certificate authority. This certificate is called HTTPS certificate or SSL certificate.
Web browsers have a list of certificate authorities they trust and it can verify whether the certificate of the web server was issued by one of the trusted authorities. Thanks to this, your browser can confirm that the server that it is connecting to is the correct server and not a fake one set up by an attacker or hacker.
For example, web server slideshow.digital uses a certificate issued by an authority called Let’s Encrypt. All recent web browsers have this authority in their trusted lists.
HTTP and HTTPS in Slideshow's web interface
Slideshow’s web interface is by default accessible through both HTTP and HTTPS protocols. If you are on a private local network and all your WiFi networks are secured with a strong password, using HTTP is usually not a problem, but you can still use HTTPS if needed.
However, Slideshow’s web interface is accessible only on a local network by opening the IP address of the device in your web browser and there is no way to get a proper HTTPS / SSL certificate (signed by a trusted certificate authority) for a private IP address. That’s why Slideshow generates the HTTPS certificate by itself the first time it is started on the particular device. This certificate is not signed by a trusted certificate authority, it is so-called “self-signed”.
Some recent web browser are automatically trying to redirect users from HTTP to HTTPS protocol (for additional security), so even if you are trying to access Slideshow’s web interface through HTTP, the browser might redirect you to HTTPS on the background and as it sees just a self-signed HTTPS certificate, it displays a security warning. You can skip this warning by clicking on the
Advanced button and then
Accept the Risk and Continue button. This will allow you to use Slideshow’s web interface without any restrictions.
There are security implications to skipping the warning, but as long as you are on a private network which is reasonably secured, it is usually OK to skip the warning. Never skip the warning on public websites.
Using own signed HTTPS certificate
If you are on a corporate network, you might have domain names assigned to devices (including Slideshow) and have your own certificate authority set up. In this case, you can issue a certificate for Slideshow in your certificate authority, convert it to PKCS12 format (includes both private key and certificate), and upload it to Slideshow via menu
Device settings – scroll down to
Certificate for HTTPS. After restarting Slideshow app you shouldn’t get any HTTPS certificate warning any more.