The Espressif documentation notes:
It is recommended to use TLS (Transport Layer Security) in all external communications (e.g., cloud communication, OTA updates) from the ESP device. ESP-IDF supports Mbed TLS as the official TLS stack.
As far as I can tell the current firmware only communicates over unauthenticated HTTP. This is particularly worrisome for OTA updates as (AFAIU) this is no protection against the firmware being tampered with in transit, or even DNS being hijacked.
Are there any plans on swithcing to TLS support for hw.airgradient.com? At the very least, if you were to add HTTPS support to your hw.airgradient.com I could potentially try patching the firmware myself.
The S in IoT stands for security. — Tim Kadlec