[stefan_]

HTTP is an unhappy medium, just like an Open WiFi: we could have perfect forward secrecy encryption alone, but instead we have to choose between "no encryption, no authentication" and "encryption and authentication".

Now we would still like both of course but as the GP correctly states, Google et al have no interest in any of that. They are much better off when both the device and the app just connect to the vendor cloud where they can happily vacuum data. Local network is a not use case at all.

[Wowfunhappy]

I think we're saying the same thing—it would be good if such a standard existed, but it doesn't. So of the available options, simply settling for http seems like the most reasonable to me.

The only real alternative I can think of is to make the entire device dependent on a cloud service of some sort. Which IMO would be clearly worse for a whole host of reasons (among them, now your device is useless if that service goes down).

[thayne]

https without certificate verification still leaves you vulnerable to MITM, as long as the attacker can intercept, and manipulate, the session negotiation. However, I do think there is value in a trust-on-first-use (TOFU) model for trusting self-signed certificates. The biggest challenge is how to educate users on when it would be appropriate to accept the risks of TOFU.