In light of the recent security concerns and discussion surrounding other OctoPrint remote services, I wanted to take some time to discuss the security and practices I use in OctoEverywhere to keep your account and printer secure.
To be clear – there are no active security issues or concerns with OctoEveywhere.
Being a 3D printing maker myself, I fully understand the concerns around exposing printers to the internet. It’s a wonderful and powerful tool for all makers, but it has to be done right. From day zero of designing and writing the OctoEverywhere service, security has been the top priority. Every feature I have designed requires absolute security and if I can’t do it in a secure way, it doesn’t get added to the service.
There are two main things to consider with security:
- Account security that relies on you.
- Service seurity that relies on OctoEverywhere.
Your Account Security
The #1 entry point to all cyber attacks (even the big corporate hacks) is exploiting a user to get their credentials in some way. Your account credentials are the keys to your kingdom. It’s up to you to make sure they are unique and secure. Here’s something to consider to keep your account safe.
- Use Strong Passwords
- Our system enforces a minimum password length, but you must make sure the password is strong. Strong passwords are long and include letters, numbers, and symbols. Using a password manager is a great way to generate secure passwords. You can update your OctoEverywhere password anytime using the password reset system.
- Never Reuse A Password
- Reusing passwords on other websites opens you up to attack. It’s far too common for other websites to leak passwords which are then paired with your email address and used by bad actors. Armed with your email addresses and password from other sites, a bad actor can reuse that combination to gain access to your OctoEverywhere account. Using a password manger is great and simple way to keep track of per website passwords.
- Enable 2 Factor Authentication
- OctoEverywhere supports 2 factor authentication which is an amazing way of keeping your account secure. Even if a bad actor acquires your email and password, unless they also have the constantly changing 6-digit code from your device they can’t get in. This means even if you accidentally give away your password, your account is still secure! I strongly encourage you to enable two factor authentication on your account, which you can do here.
- Use Google, Facebook, or Apple Login
- Using a login partner adds another layer of security to your account. These massive companies have many great engineers working on keeping our account secure. You can add any login to your account assuming you use the same email address. To fully secure your account, also update your OctoEverywhere password to a strong, long, and unique password.
OctoEverywhere Service Security
As I said at the top of this post, I take security very seriously. No service can ever guarantee perfect security in today’s modern world, but I put security first in everything I do. No matter how great a feature would be for our community, if it can’t be done securely, I won’t add it. All of the OctoEverywhere systems are designed with multiple layers of security using cutting-edge security standards and practices.
I believe that transparency is an obligation for all services providers to supply. If there is ever a security-related issue with OctoEverywhere, no matter how small or large, I will promptly inform all users and make sure to get in contact with any users who are directly affected.
We collect the minimal amount of account information as possible, just an email and password. We don’t need to know anything else, so we don’t want to. We don’t even know your first name, so we can’t even greet you!
We do need to collect more information if you decide to support the project, but all of that information isn’t held by our services it’s held by our subscription partners ChargeBee and Stripe. ChargeBee and Stripe are the leading global payment systems in the world.
Your Browser To Printer Connection
When you connect to your printer, both your browser’s connection to our servers and your printer’s connection to our servers is encrypted and secured using industry-standard encryption. The same encryption system is used by your bank when you connect to manage your funds online. This is the first layer of security for printer connections. Your browser holds a session cookie that’s 256 bytes of high entropy randomness that identifies you and your authentication to the service. For a browser’s request to be sent to a printer, the browser must preset a valid session cookie that’s associated to the correct account and has the printer associated to it. Meaning that before anyone can send requests to your printer, they must first have a valid user session authentication token.
After your browser has authenticated you to the service and the service allows your request to be sent to your printer, you must also log in to the OctoPrint interface using your local OctoPrint credentials. Our OctoEverywhere service securely transports your login credentials through our system but never stores them in any way. The credentials are lost from our system immediately after sending them to your printer. This is the second layer of protection. Since no OctoPrint credential information is ever stored anywhere in our service, a bad actor has no way of obtaining them from our services.
App connections create a per-app and per-portal session “app id” that grants the app access to only the selected printer. The authentication session given to app connections does not allow the apps access to your account or any other printers on it. Furthermore, app connections are also secured by a set of unique and random http credentials associated with the app id, that must be present in all of the app’s requests. These credentials are sent in the encrypted communication to our servers, so they can’t be intercepted in man-in-the-middle attacks. You have the power to revoke any app’s permission at any time via the shared connections page on our website. Revoking the credentials will immediately block the app and any access to your printer.
The second layer of security on app connections is the authentication key the app must also acquire from OctoPrint. Same as the browser-based connections, even if a bad actor were able acquire the app’s “app id” and unique password to send requests to the printer, the bad actor would still need to acquire the app’s OctoPrint token which is known only to the app on your device.
General Service Security
Our service runs on a secure hosting provider, Digital Ocean. Digital Ocean is one of the largest hosting providers in the world, so they are a great choice. Our prescient storage and databases are hosted in Microsoft’s Azure, which is also a leading worldwide hosting provider. Each of these provides has a ton of security practices and rules in place, and I try to follow them all.
I only disclose any OctoEverywhere information to other 3rd party services when absolutely necessary. For example to support subscriptions I need to send a unique user key to ChargeBee. Any 3rd party service or accounts I use for OctoEverywhere are secured with a unique and strong password and also have two-factor authentication set up where available.
I hope this post adds some transparency to the OctoEverywhere service and helps the OctoEverywhere community better understand the extensive security practices and procedures I consider and implement.
If you have any questions or concerns, please feel free to reach out to me via the contact page which will directly email me. I would be more than happy to discuss any further questions anyone has. If any of the questions are generalized enough and would be interesting for the community, I will update this post with the information.