MQTT has username/password support so you can ensure only
authenticated users connect.
Depending on the broker implementation, different users can then be a
authorised to perform different actions.
For example, some users may only be allowed to subscribe to certain
topics, whilst others with more privileges can publish to them as
well.
Use of SSL or running on a VPN can also be used to secure the network.
Cheers,
Nick
> --
> To learn more about MQTT please visit http://mqtt.org
>
> To post to this group, send email to mq...@googlegroups.com
> To unsubscribe from this group, send email to
> mqtt+uns...@googlegroups.com
>
> For more options, visit this group at
> http://groups.google.com/group/mqtt
Even if this is not directly an MQTT protocol problem - IMO, this
would be appropriate to mention in the specification because the
addition of the username/password feature requires storage of this
information.
Hiram Chirino
Software Fellow | FuseSource Corp.
chi...@fusesource.com | fusesource.com
skype: hiramchirino | twitter: @hiramchirino
blog: Hiram Chirino's Bit Mojo
True, but storing is storing.
Clear text passwords in LDAP or another DB (etc) isn't really any better.
Dan
I think it would be more appropriate to remind people that the "username/password" fields in the MQTT
protocol are just bytes. They're even in sequential bytes. I don't really even think they should be
called username & password. They're simply two more fields that can be used (with clientid) to help
identify a connection. It's about as secure as telnet, in that it doesn't matter a jot how secure you
store the passwords on the broker, anyone listening to the traffic has the password.
Brokesr are free to _interpret_ the username and password fields as something else, but that's not
currently how anyone seems to talk about it.
Cheers,
Karl P
I prefer to think of it as being as secure as http, for which the same
is true in many situations.
Cheers,
Roger