I have two mqtt servers, one running on the LAN with no access from outside, the other running on a VPS in the cloud. The one in the cloud is secured with openssl. The other has just a user/password. Neither are supporting critical applications, they are mostly test beds. My question is should I have also included a user/password for the openssl server? Maybe I’m naive in thinking anyone that can crack into an openssl server, wouldn’t have much trouble cracking a user/password in MQTT.
It seems you might have not understood what SSL does for your MQTT server. It does in no way add any security in terms of someone being able to connect. It only encrypts the data that gets transferred after the connection has been established. So by not requiring a username and password, anyone can connect to your server!
A real life example to make this a bit clearer: lets say you have a Google account. When you browse to Google, the connection is encrypted, no matter if you are logged in or not. Your browser will somehow indicate the encrypted connection, which will prevent others on the same network to sniff your credentials as soon as you log in. But you still have to login to access you mail etc… If Google didn’t require you to enter your username and password, anybody browsing to Google would have access to your e-mails. The fact that the connection is encrypted doesn’t change anything about that.
To sum this up: set up a username and password ASAP. That’s WAY more important than an encrypted connection.
