Publication privacy on telemetry channels
The privacy of MQTT publications sent in either direction across telemetry channels is secured by using TLS to encrypt transmissions over the connection.
MQTT clients that connect to telemetry channels use TLS to secure the privacy of publications transmitted on the channel using symmetric key cryptography. Because the endpoints are not authenticated, we cannot trust channel encryption alone. Combine securing privacy with server or mutual authentication.
As an alternative to using SSL, some kinds of Virtual Private Network (VPN), such as IPsec, authenticate the endpoints of a TCP/IP connection. VPN encrypts each IP packet that flows over the network. Once such a VPN connection is established, you have established a trusted network. We can connect MQTT clients to telemetry channels using TCP/IP over the VPN network.
For a typical configuration, which encrypts the channel and authenticates the server, consult Telemetry channel authentication using TLS.
Encrypting TLS connections without authenticating the server exposes the connection to man-in-the-middle attacks. Although the information you exchange is protected against eavesdropping, we do not know who we are exchanging it with. Unless you control the network, we are exposed to someone intercepting your IP transmissions, and masquerading as the endpoint.
We can create an encrypted TLS connection, without authenticating the server, by using a Diffie-Hellman key exchange CipherSpec that supports anonymous TLS. The master secret, shared between the client and server, and used to encrypt TLS transmissions, is established without exchanging a privately signed server certificate.
Because anonymous connections are insecure, most TLS implementations do not default to using anonymous CipherSpecs. If a client request for TLS connection is accepted by a telemetry channel, the channel must have a keystore protected by a passphrase. By default, since TLS implementations do not use anonymous CipherSpecs, the keystore must contain a privately signed certificate that the client can authenticate.
If we use anonymous CipherSpecs, the server keystore must exist, but it need not contain any privately signed certificates.
Another way to establish an encrypted connection is to replace the trust provider at the client with your own implementation. Your trust provider would not authenticate the server certificate, but the connection would be encrypted.
Parent topic: Administer MQ Telemetry