I'm not really a tech guy but love to code with ESP32 for smart home things. Please don't be to strict about the question
My general question regarding security and MQTT is the following:
I have a few ESP which sends regulary data to Node-RED. Node-RED is hosted on a vServer, so that means that the server is not in my network.
Do I really have to use SSL for MQTT in this case? I thought about, what could possible "attacker scenarios"?
Questions:
How can anyone sniff my MQTT, when the attacker has no access to my wifi?
Can someone sniff it in the near of the data center?
With acces to my wifi - ok the person can observe with wireshark the mqtt traffic and can identify my node-red IP and topics etc.
what is your oppinion... negligent not to use ssl or nice to have
Does the contract you have with the company running the vServer say anything about data privacy?
If not they could be selling your data to anyone. SSL isn't going to stop that as it only protects data in transit, not data stored on disk.
Regardless of what the hosting company claims, you should assume that the government of whichever country (or countries) is hosting your data can access it.
Personally I wouldn't worry about encrypting non-personal information such as weather data, but anything that reveals your physical address and whether the home is currently occupied should at the very least be obfuscated.
Without SSL and a token/password of some kind a malicious person could in theory inject fake data causing your account to exceed its bandwidth quota which could result in your account being temporarily frozen.
Government access and data center breaches are real szenarios.
For me in this discussion it is more important to understand, where and how can someone sniff my data - or in other words: Is it really necessary to use SSL for MQTT?
Yes, I'm also not really understanding if it is really necessary.
I've tried so far to use wireshark to sniff data - but also in the same network it is not a piece of cake to get all of the mqtt data. So how can someone else access it outside from the network?
Perhaps you need to study how IP networks operate.
On the internet data gets from one place to another using a series of routers owned by private companies. Any of those routers could be sending a copy of your data to some government agency or criminal gang. If you are using SSL this doesn't matter as they will not be able to decipher the information.
That doesn't make sense. Wireshark can capture everything. If you are sending data without using SSL and expecting to see the captured data as plain text then you will need to run it through a decoder that understands the MQTT packet format.
