With the emphasis on IOT security SSL has become the de facto solution for MQTT connections.
In fact the majority of the questions I get are SSL related .
What I find surprising is that not many appear to be considering using payload encryption instead of SSL and certificates.
Payload encryption has in my opinion many advantages over using SSL. The main ones are:
- It is end to end and not link based.
- There is no broker configuration required.
- The technique can also hide topic names.
The Rational for SSL and the Problems with SSL
SSL is used extensively on the web e.g shopping websites, Gmail etc.
SSL is secure and provides good link encryption.
Link encryption is sufficient in a client server environment where the server hosts the actual application.
However in the example of Gmail. link encryption is not really sufficient as the email needs to be forwarded across the email network and so for end to end encryption the entire link chain needs to be encrypted.
Therefore SSL encryption has shortcoming when dealing with a message based system which is what email is, and also what MQTT is.
For an MQTT message to be secure then the publisher and subscriber must both use SSL.Also any bridged connections must also use SSL.
Encrypting Message Payloads.
This is quite a straightforward process in Python and node-red. I did a Python example some time ago.
and will also be doing a node-red flow shortly.
I am not really sure if this is really of any use but maybe you have an example.
I hope to try this and other methods in the coming weeks.
This post is a discussion post and I would be very grateful for any thoughts you may have.