{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,6]],"date-time":"2026-01-06T05:24:17Z","timestamp":1767677057014,"version":"3.48.0"},"reference-count":29,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>This contribution outlines a completely new, fully local approach for secure web-based device control on the basis of browser inter-window messaging. Modern smart home IoT (Internet of Things) devices are commonly controlled with proprietary mobile applications via remote servers, which can have significant adverse implications for the end user. Given that many IoT devices in use today are limited in both available memory and processing speed, standard approaches such as HTTPS-based transport security are not always feasible and a need for more suitable alternatives for such constrained devices arises. The proposed local method for lightweight and secure web-based device control using inter-window messaging leverages existing standard web technologies to enable a maximum degree of privacy, choice, and sustainability within the smart home ecosystem. The implemented proof-of-concept shows that it is feasible to meet essential security objectives in a local web IoT control context while utilizing less than a kilobyte of additional memory compared to an unsecured solution, thereby promoting sustainability through hardening of the control protocols used by existing devices with too few resources for implementing standard web cryptography. In this way, the present work contributes to achieving the vision of a fully open and secure local smart home.<\/jats:p>","DOI":"10.3390\/jcp6010009","type":"journal-article","created":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T12:23:44Z","timestamp":1767356624000},"page":"9","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Secure Local Communication Between Browser Clients and Resource-Constrained Embedded IoT Devices"],"prefix":"10.3390","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-9430-2201","authenticated-orcid":false,"given":"Christian","family":"Schwinne","sequence":"first","affiliation":[{"name":"Department Hamm 1, Hamm-Lippstadt University of Applied Sciences, 59063 Hamm, Germany"}]},{"given":"Jan","family":"Pelzl","sequence":"additional","affiliation":[{"name":"Department Hamm 1, Hamm-Lippstadt University of Applied Sciences, 59063 Hamm, Germany"}]}],"member":"1968","published-online":{"date-parts":[[2026,1,1]]},"reference":[{"key":"ref_1","unstructured":"Card, S.K., Moran, T.P., and Newell, A. (1983). The Psychology of Human-Computer Interaction, CRC Press."},{"key":"ref_2","unstructured":"Google (2025, December 24). Support for Nest Secure Ended. Available online: https:\/\/support.google.com\/googlenest\/answer\/10191961?hl=en."},{"key":"ref_3","unstructured":"Open Home Foundation (2025, December 24). About Us. Available online: https:\/\/www.openhomefoundation.org\/about\/."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"198","DOI":"10.1109\/TIT.1983.1056650","article-title":"On the security of public key protocols","volume":"29","author":"Dolev","year":"1983","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref_5","unstructured":"Creese, S., Goldsmith, M., Roscoe, A., and Zakiuddin, I. (April, January 31). The attacker in ubiquitous computing environments: Formalising the threat model. Proceedings of the FAST 2003, San Francisco, CA, USA."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Paar, C., Pelzl, J., and G\u00fcneysu, T. (2024). Understanding Cryptography, Springer.","DOI":"10.1007\/978-3-662-69007-9"},{"key":"ref_7","unstructured":"MDN Web Docs (2025, December 24). Progressive Web Apps. Available online: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Progressive_web_apps."},{"key":"ref_8","unstructured":"Ptacek, T. (2025, December 24). Javascript Cryptography Considered Harmful. Available online: https:\/\/gist.githubusercontent.com\/atoponce\/e90089cb5a13ef38a7a07f8e64370dab\/raw\/22299b4e722840f955ebc3d65d6ec040811601f1\/post.md."},{"key":"ref_9","unstructured":"Meixler Technologies Inc. (2025, December 24). Browser Crypto. Available online: https:\/\/web.archive.org\/web\/20250207144343\/https:\/\/www.pageintegrity.net\/browsercrypto.php."},{"key":"ref_10","unstructured":"Shekh-Yusef, R., Ahrens, D., and Bremer, S. (2025, December 24). HTTP Digest Access Authentication. RFC 7616. Available online: https:\/\/www.rfc-editor.org\/info\/rfc7616."},{"key":"ref_11","unstructured":"Nir, Y., and Langley, A. (2025, December 24). ChaCha20 and Poly1305 for IETF Protocols. RFC 8439. Available online: https:\/\/www.rfc-editor.org\/info\/rfc8439."},{"key":"ref_12","first-page":"1","article-title":"Ascon-Based Lightweight Cryptography Standards for Constrained Devices","volume":"232","author":"Turan","year":"2025","journal-title":"NIST SP 800"},{"key":"ref_13","unstructured":"Schwinne, C., and WLED Knowledge Base Contributors (2025, December 24). JSON API. Available online: https:\/\/kno.wled.ge\/interfaces\/json-api\/."},{"key":"ref_14","unstructured":"MDN Web Docs (2025, November 29). Cross-Origin-Opener-Policy (COOP) Header. Available online: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Reference\/Headers\/Cross-Origin-Opener-Policy."},{"key":"ref_15","unstructured":"MDN Web Docs (2025, November 29). Cross-Origin-Embedder-Policy (COEP) Header. Available online: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Reference\/Headers\/Cross-Origin-Embedder-Policy."},{"key":"ref_16","unstructured":"MDN Web Docs (2025, December 24). SubtleCrypto: DeriveKey() Method. Available online: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/SubtleCrypto\/deriveKey."},{"key":"ref_17","unstructured":"Biryukov, A., Dinu, D., Khovratovich, D., and Josefsson, S. (2025, December 24). Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications. RFC 9106. Available online: https:\/\/www.rfc-editor.org\/info\/rfc9106."},{"key":"ref_18","unstructured":"Scroggs, K. (2025, December 24). argon2-wasm. Available online: https:\/\/github.com\/very-amused\/argon2-wasm#readme."},{"key":"ref_19","unstructured":"OWASP (2025, December 24). Password Storage Cheat Sheet. Available online: https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Password_Storage_Cheat_Sheet.html#pbkdf2."},{"key":"ref_20","unstructured":"Doherty, W.J., Watson, T.J., and Thadani, A.J. (2025, December 24). The Economic Value of Rapid Response Time. IBM Technical Report GE20-0752-0. Available online: https:\/\/jlelliotton.blogspot.com\/p\/the-economic-value-of-rapid-response.html."},{"key":"ref_21","unstructured":"Yablonski, J. (2025, December 24). Doherty Threshold. Available online: https:\/\/lawsofux.com\/doherty-threshold\/."},{"key":"ref_22","unstructured":"Espressif Systems (2025, December 24). ESP32 Technical Reference Manual. Available online: https:\/\/documentation.espressif.com\/esp32_technical_reference_manual_en.pdf\/#rng."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Preu\u00df Mattsson, J., Smeets, B., and Thormarker, E. (2021). Quantum-Resistant Cryptography. arXiv.","DOI":"10.23919\/ETR.2021.9904724"},{"key":"ref_24","unstructured":"Housley, R., Hoyland, J., Sethi, M., and Wood, C.A. (2025, December 24). Guidance for External Pre-Shared Key (PSK) Usage in TLS. Available online: https:\/\/www.rfc-editor.org\/info\/rfc9257."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Sy, E., Burkert, C., Federrath, H., and Fischer, M. (2018, January 3\u20137). Tracking Users Across the Web via TLS Session Resumption. Proceedings of the 34th Annual Computer Security Applications Conference, New York, NY, USA. ACSAC \u201918.","DOI":"10.1145\/3274694.3274708"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Kim, J., van Schaik, S., Genkin, D., and Yarom, Y. (2023, January 26\u201330). iLeakage: Browser-Based Timerless Speculative Execution Attacks on Apple Devices. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA. CCS \u201923.","DOI":"10.1145\/3576915.3616611"},{"key":"ref_27","unstructured":"(2025, December 24). MDN Web Docs. Mixed Content. Available online: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Defenses\/Mixed_content."},{"key":"ref_28","unstructured":"Zeng, E., and Roesner, F. (2019, January 14\u201316). Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study. Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA."},{"key":"ref_29","unstructured":"Ellis, C. (2025, December 24). Available online: https:\/\/github.com\/Aircoookie\/arduino-crypto."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/6\/1\/9\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,6]],"date-time":"2026-01-06T05:12:01Z","timestamp":1767676321000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/6\/1\/9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,1]]},"references-count":29,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["jcp6010009"],"URL":"https:\/\/doi.org\/10.3390\/jcp6010009","relation":{},"ISSN":["2624-800X"],"issn-type":[{"type":"electronic","value":"2624-800X"}],"subject":[],"published":{"date-parts":[[2026,1,1]]}}}