Last Updated: 8/17/2023
Being a 3D printing maker myself, I fully understand the concerns around exposing printers to the internet. It’s a wonderful and powerful tool for all makers, but it has to be done right. Security has been the top priority since day zero of designing and writing the OctoEverywhere service. Every feature I have designed requires absolute security, and if I can’t do it securely, it doesn’t get added to the service.
There are two main things to consider with security:
- Account security that relies on you.
- Service security that relies on OctoEverywhere.
Your Account Security
The #1 entry point to all cyber attacks (even the big corporate hacks) is exploiting users to get their credentials. Your account credentials are the keys to your kingdom. It’s up to you to make sure they are unique and secure. Here’s something to consider to keep your account safe.
- Use Strong Passwords
- Our system enforces a minimum password length, but you must make sure the password is strong. Strong passwords are long and include letters, numbers, and symbols. Using a password manager is a great way to generate secure passwords. You can update your OctoEverywhere password anytime using the password reset system.
- Never Reuse A Password
- Reusing passwords on other websites opens you up to attack. It’s far too common for other websites to leak passwords which are then paired with your email address and used by bad actors. Armed with your email addresses and password from other sites, a bad actor can reuse that combination to gain access to your OctoEverywhere account. Using a password manager is a great and simple way to keep track of per-website passwords.
- Enable 2-Factor Authentication
- OctoEverywhere supports 2-factor authentication, a fantastic way to keep your account secure. Even if a bad actor acquires your email and password, unless they also have the constantly changing 6-digit code from your device they can’t get in. This means your account is still secure even if you accidentally give away your password! I strongly encourage you to enable two-factor authentication on your account, which you can do here.
- Use Google, Facebook, or Apple Login
- Using a login partner adds another layer of security to your account. These massive companies have many great engineers working on keeping our accounts secure. You can add any login to your account, assuming you use the same email address. To fully secure your account, update your OctoEverywhere password to a strong, long, and unique one.
- Email Based Access Challenges
- If you try to log in to your account from a new location, our system will detect the change and require an email-based code challenge. This adds another layer of account security, so even if your credentials were compromised, attackers can’t get direct access to your account.
OctoEverywhere Service Security
As I said at the top of this post, I take security very seriously. No service can ever guarantee perfect security in today’s modern world, but I put security first in everything I do. No matter how great a feature would be for our community, I won’t add it if it can’t be done securely. All of the OctoEverywhere systems are designed with multiple layers of security using cutting-edge security standards and practices.
I believe that transparency is an obligation for all service providers to supply. If there is ever a security-related issue with OctoEverywhere, no matter how small or large, I will promptly inform all users and make sure to get in contact with any users who are directly affected.
We collect the minimal amount of account information as possible, just an email and password. We don’t need to know anything else, so we don’t want to. We don’t even know your first name, so we can’t greet you!
We need to collect more information if you decide to support the project, but our services don’t hold all that information. It’s held by our subscription partners ChargeBee and Stripe. ChargeBee and Stripe are the leading global payment systems in the world.
Your Browser To Printer Connection
When you connect to your printer, your browser’s connection to our servers and your printer’s connection to our servers is encrypted and secured using industry-standard encryption. The same encryption system is used by your bank when you connect to manage your funds online. This is the first layer of security for printer connections. Your browser holds a session cookie that’s 256 bytes of high entropy randomness that identifies you and your authentication to the service. For a browser’s request to be sent to a printer, the browser must present a valid session cookie associated with the correct account and the printer associated with it. Before anyone can send requests to your printer, they must have a valid user session authentication token.
After your browser has authenticated you to the service and the service allows your request to be sent to your printer, you must also log in to the OctoPrint interface using your local OctoPrint credentials. Our OctoEverywhere service securely transports your login credentials through our system but never stores them in any way. The credentials are lost from our system immediately after sending them to your printer. This is the second layer of protection. Since no OctoPrint credential information is ever stored anywhere in our service, a bad actor cannot obtain them from our services.
App connections create a per-app and per-portal session “app id” granting access to only the selected printer. The authentication session given to app connections does not allow the apps access to your account or any other printers. Furthermore, app connections are also secured by unique and random http credentials associated with the app id, which must be present in all of the app’s requests. These credentials are sent in encrypted communication to our servers, so they can’t be intercepted in man-in-the-middle attacks. You can revoke any app’s permission at any time via the shared connections page on our website. Revoking the credentials will immediately block the app and any access to your printer.
The second layer of security on app connections is the authentication key the app must also acquire from OctoPrint. Similar to browser-based connections, even if a bad actor were able to acquire the app’s “app id” and unique password to send requests to the printer, the bad actor would still need to acquire the app’s OctoPrint token, which is known only to the app on your device.
General Service Security
Our service runs on a secure hosting provider, Digital Ocean. Digital Ocean is one of the largest hosting providers in the world, so they are a great choice. Our prescient storage and databases are hosted in Microsoft’s Azure, which is also a leading worldwide hosting provider. Each of these providers has a ton of security practices and rules in place, and I try to follow them all.
I only disclose any OctoEverywhere information to other 3rd party services when absolutely necessary. For example, I need to send a unique user key to ChargeBee to support subscriptions. Any 3rd party service or accounts I use for OctoEverywhere are secured with a unique and strong password and have two-factor authentication set up where available.
I hope this post adds some transparency to the OctoEverywhere service and helps the OctoEverywhere community better understand the extensive security practices and procedures I consider and implement.
If you have any questions or concerns, please feel free to reach out to me via the contact page which will directly email me. I would be more than happy to discuss any further questions anyone has. If any questions are generalized enough and would be interesting for the community, I will update this post with the information.