I have a quick question that bothers me for a while now and I can’t really find a suitable answer.
I’m using the official mosquito-broker add-on and mqtt integration. After searching through the forum and a few blog posts, I’ve found that everyone recommends enabling a secure mqtt connection.
So my question is: Is this really necessary?
As I understand it, the add-on runs as a docker container on the host machine in hassio. This makes it available through “core-mosquitto” and the mqtt integration auto detects it. It also using the homeassist user/password to connect to the broker.
Since this connection is local and not exposed, why would it matter to secure it with ssl if I don’t get access to this connection. Even if I use the Zigbee2mqtt add-on, it’s also connection with core-mosquito to the broker.
I understand that if I would like to access the broker from outside, this would be a necessary step. However, I don’t and don’t think I will in the future.
I used the MQTT Explorer and confirmed that I can connect to the mqtt broker with user/password on my local Host (mqtt://home.local:1883). But this is normally not something I would do.
…
Do I miss something here? Any help would be appreciated.
Well you know it is something that should be considered in my opinion.
For example roborock vacuums are using mqtt connection over port 8883 to talk to their servers. So mqtt over internet is using ssl.
Should you or anyone else be using ssl over local network? When I asked that question a few years ago everyone was ridiculed me as you know, look this stupid guy, ssl is used only over internet. But look at this. And this does rise some concerns.
I’m using ssl over local netwotk for access my ha ip and all other docker containers. And I’m considering using mqtt over ssl on local network and not just that.
No it isn’t.
Truth to be told you can use mqtt over insecure 1883 port in your own local network, but these isn’t secured.
Much better option would be to use it over ssl. Why?
Well, why most people are using seat belts when they drive their cars? Not because they seat in their cars with intention to crash it. In 99,9% of the time nothing will happen and you don’t actually need seat belt.
But there is always that 0,1 or less percent where is better to have it than not to have it.
And this is the same. If user can secure its mqtt communication over local network, then it is better to use it then not to use it. If he cannon’t well that doesn’t mean that its mqtt communication will be hacked or is insecure by default because intruder will have to gain access to it’s network. Gain access to someone else network with out owner permission is crime in most of the countries around the world.