Bill Marriott <
bilm...@gmail.com> writes:
> My message processor (engine) is still subscribing on 1883 (NOT TLS) to
> broker on localhost, though it could connect to a remote broker if scaling
> required it. I rationalized this because it was easier, local and would be
> less of a load on CPU.
>
> So, for a subscriber to ALL topics, should the additional overhead of TLS
> be a concern ( thus need load testing) or is it likely to be trivial so
> just do it?
Opening a TLS connection requires public-key operations. Once opened,
it's all symmetric crypto. These days most web accessa and almost all
email is TLS. I hear no complaints about CPU time, only about how much
RAM firefox uses.
You should try it but I suspect you will not notice the CPU time. I
strongly advise against turning down security because of a fear of CPU
usage, without having actually measured it.
My own perference is to *not even configure* prot 1883 on the broker.
Even if there is data that you don't consider sensitive, typically one
uses password auth, and that should have protection. Yes, I see you
point about localhost, but I find it simpler to reason about systems
that simply have no cleartext access, period.