Securing public MQTT broker

[Matthias Böhmer]

Hi,

if I have a MQTT broker on the Internet using web sockets: what is the
best way to secure this broker? I want only my own website to be able
to send/receive messages, but given the website is available as source
code and one can see the user/password, this is an issue.

Any ideas or comments?

Best,
Matthias

[Raphael Cohn]

Matthias,

Do you mean the source code is on something public, like GitHub, or that the password is available in the javascript that runs on your website and initiates a websocket connection?

Raphael Cohn
Chief Architect, StormMQ

Co-Chair, OASIS MQTT Standard for the Internet of Things

Advisor, UK Government Technical Standards Board

https://uk.linkedin.com/in/raphcohn

+44 7590 675 756

UK Office:
Hamblethorpe Farm, Crag Lane, Bradley BD20 9DB, North Yorkshire, United Kingdom
+44 845 3712 567

Registered office:
16 Anchor Street, Chelmsford, Essex, CM2 0JY, United Kingdom
StormMQ IT Limited is Registered in England and Wales under Company Number 07175657

--
To learn more about MQTT please visit http://mqtt.org
---
You received this message because you are subscribed to the Google Groups "MQTT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+uns...@googlegroups.com.
To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

[Matthias Böhmer]

The password will be available in javascript. I guess it needs to be
available in plain text for the API. Or is there any other way?

--
Prof. Dr. Matthias Böhmer

Institut für Informatik
Labor für Mobile und Verteilte IT
TH Köln, Campus Gummersbach
Steinmüllerallee 1, 51643 Gummersbach

+49 2261 8196 6397
matthias...@th-koeln.de
http://moxd.io

[Raphael Cohn]

With WebSockets, one can leverage existing HTTPS-based mechanisms for login, eg cookies or digests, etc. There's no reason your web server layer shouldn't be able to authenticate those. Alternatively, issue a username / password combination to each potential user, just as you would for sign ups.

Raphael Cohn
Chief Architect, StormMQ

Co-Chair, OASIS MQTT Standard for the Internet of Things

Advisor, UK Government Technical Standards Board

https://uk.linkedin.com/in/raphcohn

+44 7590 675 756

UK Office:
Hamblethorpe Farm, Crag Lane, Bradley BD20 9DB, North Yorkshire, United Kingdom
+44 845 3712 567

Registered office:
16 Anchor Street, Chelmsford, Essex, CM2 0JY, United Kingdom
StormMQ IT Limited is Registered in England and Wales under Company Number 07175657

[Hans Jespersen]

Have your JavaScript read the password from a config file or an environment variable. That way the password doesn't need to be in the public code.

Alternatively (but not at all secure) you can hide the password assignment in the Javascript by running only that portion of your code through one or more obfuscators.

This keeps the password out of plain text but anyone who knows how to write Javascript can modify the code to simply print out the password.

-hans

[Raphael Cohn]

Please don't use environment variables for sensitive data; depending on your system they are visible via /proc or forks to potentially unprivileged processes.

[Hans Jespersen]

Yes of course. Also files in the filesystem need to be secured as well and any passwords stored in files should be hashed and not clear text. Also the MQTT connection needs to be over secure web sockets (WSS) not plain text (WS). I guess the OP never did say where his "own web site" was running, what platform it was on, if it was on third party hardware, or if it was a multi-tenant system. All those things are important for any security architecture.