I downloaded the chromecast app on my mac to check this during the initial setup.
It does indeed communicate over unencrypted http port 8008, but it is not that bad. It looks like the encryption is used using a private/public key solution.
Here are parts of the traffic dump (some long strings are truncated):
POST /setup/connect_wifi HTTP/1.1
Host: 192.168.255.249:8008
Content-Type: application/json
Origin: https://www.google.com
{"enc_passwd":"GriLcctBGaDNe7Udohz1x7avTtn2B\...J0QsqpUuUQCKf1xTw2bbZgSOlnzmo\/SgUXkXq0cLqJ4fg7efDQcZQyA7MDqUsbt6LvXJt3htX8sZY0EVV1OPMm3GNgw==","wpa_auth":7,"wpa_cipher":4,"ssid":"mySSID","wpa_id":0,"scan_ssid":0}
GET /setup/eureka_info?options=detail HTTP/1.1
Host: 192.168.255.249:8008
Origin: https://www.google.com
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type
Cache-Control: no-cache
Access-Control-Allow-Origin: https://www.google.com
Content-Type: application/json
Content-Length: 1224
{"build_version":"15098","connected":false,"detail":{"icon_list":[{"depth":32,"height":55,"mimetype":"image/png","url":"http://192.168.255.249:8008/setup/icon.png","width":98}],"locale":{"display_string":"English (United States)"},"manufacturer":"Google Inc.","model_name":"Eureka Dongle"},"has_update":false,"hdmi_control":true,"hotspot_bssid":"FA:8F:CA:xx:xx:xx","locale":"en-US","location":{"country_code":"NO","latitude":255.0,"longitude":255.0},"mac_address":"6C:AD:F8:xx:xx:xx","name":"Chromecast0000","noise_level":-90,"opt_in":{"crash":true,"device_id":false,"stats":true},"public_key":"MIIBCgKCAQEAuSE...7FP4C55KZcukmaVf6H/jiEYBHdAg53HnpmqSw0hRoY6GcF9uvGBVau...IDAQAB","release_track":"stable-channel","setup_state":20,"signal_level":-52,"ssdp_udn":"97d55d2...","ssid":"mySSID","uma_client_id":"AA97794C-...","uptime":1893.45,"version":4,"wpa_configured":false,"wpa_id":0,"wpa_state":4}
GET /setup/eureka_info?options=detail HTTP/1.1
Host: 192.168.255.249:8008
Origin: https://www.google.com
...
Any info about the encryption method? – Mickael Marrache – 2018-04-23T20:26:26.613
I answered this 4 years ago, many chromecasts since then :) Google know what they are doing, and I havent seen any bad news about insecurity in this since. I would imaging it is safe to use, and they have done the implementation right. – xeor – 2018-04-23T20:36:43.293
I'm looking for a way to generate a /setup/connect_wifi request myself but I can't find any information about the encryption method. I only know the public key is an RSA 2048 bit key... – Mickael Marrache – 2018-04-23T20:38:52.713
There are probably a "secret" you will have a very hard time getting inside the chromecast as well. So I don't think "generating a connect_wifi request" is the way to go. Submit a new question, explaining the problem in details and what you got. Maybe there are some clever solutions, or a completely different way of solving it.. – xeor – 2018-04-24T05:29:09.810