mosquitto-users team mailing list archive

[Alfonso Pantoja <alfonso.pantoja@xxxxxxxxx>]

Hi,

I've been reading the mosquitto documentation about security and I'm a bit
confused about what would be the best setup for supporting a huge number of
clients trying to keep the system as simple as possible.

To be more specific imagine an scenario with a broker exposed to the
internet which is being accessed by third party products/code (i.e: devices
sending temperature data).
Let's say that users of this system could have lots of devices and wanted
to connect them to the broker.

In a perfect (and secure) world all that clients should have different
credentials but in reality this could be tricky because all devices should
be configured one by one and all credentials remembered/stored.

If I'm not wrong the documentation states that it is recommended to use
different certificates for server, CA and clients so I suppose it is also
problematic using only one user/password in all people's devices  or the
same PSK, right?

In order to balance security and simplicity I'm wondering if the best
solution is to expose a broker to the internet and bridge it to a "private"
broker but I'm still confused about what kind of security should be
implemented in the "external broker".

Any advice on this?

Thanks in advance,

Alfonso