@cymplecy - so does that mean I need to open Port 9001 on both server firewalls?
Have not heard of ZeroTier, but will read up tomorrow. Thanks.
I've just read the whole thread (I was only responding to the bit about accessing a broker over websockets)
using websockets isn't going to give any increase in security over normal MQTT so my answers are irrelevant (apart from the fun of trying to getting MQTT over websockets)
I know nothing about security subjects
The reason that I want to use 'mqtt over websockets' is that I have a lot of mqtt connected devices on the local network, that don't support TLS.
So my thinking is, keep the local network as it is, but then bridge the data securely to the remote server via websockets - TLS encrypted - but I can't even connect un-encrypted!
I'm assuming that you can't have both connected to a mqtt broker, TLS encrypted connections & non-TLS connections.
But in the years which I've used node-RED, this seems to be the most undocumented feature I've encountered (no criticism intended 
)
Like I say -I know nothing about security 
but ...
if you want to connect to a broker - doesn't make any diff if you use standard MQTT with TLS or websockt MQTT using TLS - they'll both be "secure" as each other
the websocket protocol isn't any better than standard in that respect
AFAIK, you can use all four methods, standard MQTT, MQTT using TLS, websockets and secure websockets all at the same time - you just have to configure your broker to handle the other 3 methods
1 Like
Thanks Simon, I wasn't aware of that.
I'll do some more reading tomorrow, and hopefully see the light!
No worries - start here
https://zerotier.atlassian.net/wiki/spaces/SD/pages/8454145/Getting+Started+with+ZeroTier
Incredibly easy and quick to get going
Craig
I also have looked back to the start of the thread and don't see the logic in using websockets. If the problem is that you cannot use port 1883 then specify a different port for MQTT, and use TLS. No need for websockets.
I don't think that should now be a problem, as I've built a new system which does not use Cloudflare, I'm now using Letsencrypt & Certbot instead to manage SSL on both sites.
So I now have better control of port assignments.
In that case you can use the usual MQTT connection method, there is no advantage in using websockets as far as I know.
Provided that I can connect local network connected devices to the broker without TLS as well as connecting to the remote client with TLS.
@cymplecy mentioned above that it can be done, but I need to read up how.
Do you know if I am able to use the same Letsencrypt certificates that I generated to secure node-RED (both NR & the mosquitto broker are on the same server) they are PEM format.
The only reason I think it can be done is that test.mosquitto.org can be accessed via all 4 methods
No idea how 
But "all" you need to do is get standard protocol using TLS
But just a bit of a spanner, why are you worried about your data being intercepted going from home to a secure cloud broker?
It doesn't sound as if its particularly sensitive stuff and I can't see the chances of a malicious agency going to the trouble of trying to intercept it, being very likely.
Well, we thought that previously about Node-RED installations until someone started hacking them a while back.
These are mainly automated scanners and scripts so it isn't as though anyone spends any real time on it until the script discovers a vulnerability.
On the other hand, there are a LOT of people in the world with Internet access but no job and they will poke into anything they happen across.
Initially, you start with something completely safe - lets say some test data. Then in a few months you add your lighting. Then months later you add your heating. Then you decide that it might be nice to have some extra security, maybe some cameras. Unless you are careful, these things creep up on you and you forget just how much you are now spilling across the Internet with no idea what might be caching the data, breaking into things, using ML to collate data, ...
Remember the guy in Japan who stalked a celeb? Found her real-world location from the reflection in her eyes? The security camera's that suddenly found themselves part of a global botnet?
I know that I tend to be a bit too far down the paranoid scale. But that is because it is part of my job to stay abreast of what is happening in the world of Cyber security - trust me, it isn't a job for the feint hearted or the easily disturbed.
Personally, I'd rather be safe than sorry. Especially were it could impact my family.
[rant-off]
...automatic payment services,,,,and well
1 Like
To my mind, there is a major risk assessment measurement difference between security of data transfer and security of information storage/ access to a process
Capture of data in-flight between home and your own cloud server is VERY unlikely to happen and the chances of harm arising by not encrypting it is very very low. very very very low.
1 Like
We are kind of drifting off-topic here so anyone should feel free to shut us down if you feel this isn't relevant.
It isn't so easy to separate them. They are different risks but they are also related. Lack of encryption on the wire (data in flight) can lead to information leakage that results in compromise of a system which, in turn, can lead to the compromise of the data at rest.
That is only true if you actually have a secure connection directly between the 2. If you aren't using end-to-end encryption on the wire, then you most certainly do not have a direct connection because your data may pass through any number of intermediate systems including:
- Proxy servers
- Filter servers
- Routers
- Firewalls
And any/all of those will be found at:
- Your ISP
- Their ISP (if they aren't a Tier 1 supplier which is very likey) and so on up the chain
- And back down another chain ending with your server which may well be in a shared environment
If any of those have been compromised then it is open season on your data. While the data itself may not be of great value, the aggregation of the metadata (service names, ip addresses, server types, domain names, certificate data, user names, passwords, ...) are all potentially subject to botnets collecting and collating the data into something more valuable.
NO!!
That may have been the case before the days of highly capable botnets and machine learning powered by cheap and plentiful server capacity (often the result of previous hacks). But that really isn't the case now.
At the very least, you greatly increase the chance of your cloud server being compromised and added to the problem by becoming part of a botnet. You even increase the chances of your Pi becoming the same.
I really don't think people even begin to understand what machine learning can do in the hands of the bad guys. It is bad enough in the hands of the fairly bad guys (Facebook, Google, etc) but put that power into the hands of the state sponsored hacking industries we now see worldwide and you have something on a totally different order of magnitude.
Nobody is too small or insignificant to play a small part in that "game".
Of course, to bring this back into our world, yes, the risks are relatively small. But they are far from being zero. And that ongoing scope-creep is hiding in the background ready to catch you out as so very many people are finding out to their (and our) cost.
This is about home IoT data - not traffic with security info in them
Let me be plain - in my view 
- that in this case, the risk is so close to zero of ANY damage being done that its not worth the bother
it might be worth the bother later on of course
OK, that is your view Simon and entirely up to you. But I really must make it plain to everyone else on the forum that I strongly disagree with the sentiment. And Dave's link reinforces that as does this:
Okay guys, I think it must come down to personal preference, and how risk averse you are.
I'm currently controlling security lighting & sensors, irrigation and not just dealing with logging temperature, humidity etc. so to me, TLS is peace of mind, and worth going just that little bit further & do things properly.
For me it's not negotiable, so maybe let's leave this aspect here, and maybe discuss in it's own thread if it's considered necessary, but thanks for raising it.
2 Likes
Have you checked out ZeroTier yet ? It can remove all these issues by giving you (essentially) a VPN between your devices - without all the usual VPN setup and connection issues
Craig
