[mosquitto-dev] tls / acl security discussion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] tls / acl security discussion

From: Leandro <ingrogger@xxxxxxxxx>
Date: Fri, 8 Sep 2017 16:31:43 -0300
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1


Hi guys , I need to deploy a security diagram for my mqtt service.

I would like to share my thoughts about tls and acl.

First idea.
Using only server vs server and client certificate:
I think that it has no sense to use client certificate , since if some
grants physical access to the device storage , would have access to my
mosquitto server even if I server request clients certificate or not.

Second Idea.
Using only ca signed certificate (similar to https) I will have
encryption and in case someone grants my certificate I can limit it
access to an specific topic with acl.

Third idea:
To use some rate limit on the firewall so I can protect the service
against a dos.


Other ?? Any other idea about seurity would be pretiated,
Regards,
Leo.

Follow-Ups:
- Re: [mosquitto-dev] tls / acl security discussion
  - From: Tatsuzo Osawa
- Re: [mosquitto-dev] tls / acl security discussion
  - From: Tatsuzo Osawa

Prev by Date: Re: [mosquitto-dev] tls ... how to get it working (Leandro)
Next by Date: Re: [mosquitto-dev] tls / acl security discussion
Previous by thread: Re: [mosquitto-dev] tls ... how to get it working (Leandro)
Next by thread: Re: [mosquitto-dev] tls / acl security discussion
Index(es):
- Date
- Thread

Breadcrumbs