Security when using MQTT over the public internet

I would like to learn more about security when using cayenne with MQTT.
When I send over the public internet my credentials to the MQTT server, or my MQTT messages, as far as I can see, there is no encryption. Anyone in the middle in between could see the password or data I am sending?
Or do I understand that wrong? Is there any possibility of a secure connection?
thank you for bringing light in here!

have a look at this post https://www.hivemq.com/mqtt-security-fundamentals/

Yes I know that, but what it’s worth when there is no secure implementation in cayenne? I found no secure connect methods in the docs, or am I missing something? TLS / SSL ?
thank you!

cayenne provide all the security given in the post.

is that documented anywhere, I cannot find, searched all docs and api infos

it is not documented but i it safe enough to use cayenne.

I tried to use SSL / TLS without success, does it mean that only sending password unencrypted over public internet is supported?

i did not understand what you mean. But what is your project about and why are looking into security in so much detail?

It’s easy: the basic MQTT protocol is a simple TCP connection which sends payload unencrypted when there is no additional layer of security. From the security point of view, it is like FTP or TELNET in the old days when it was used without encryption over public internet, where the password could be easily sniffed by anyone in between the endpoints.
I do not think that it is a good idea to send passwords and sensor/actor data unencrypted over public internet. With that information, your data is not only potentially visible to others, but also could an attacker login to your account and modify data and/or change settings, change switches, actors, etc…
Therefore there are simple methods of securing the connection, and my original question was if that is implemented in cayenne. I did not want to discuss who of us is willing to expose data and credentials unencrypted, but wanted to know how to use SSL/TLS with cayenne.

I agree, TLS should be available if someone wants to use it. I don’t think it’s available on the libraries for Arduino devices but I could be wrong. The Pi has more than enough processor to handle encryption though. @markus_enz if you want to use encryption now you can use the https://developers.mydevices.com/cayenne/docs/cayenne-api/#cayenne-cloud-api

1 Like

i confirmed and yeah, we do have SSL enabled port : 8883 instead of 1883. however most of low end arduino devices aren’t able to support MQTTS, hence we provide MQTT port by default but with RPi, cayenne agent connects over MQTTS.

1 Like

great thank you!

1 Like