"Secure" MQTT test

REQUEST TO OTHER SNAPPERS - Please keep off this thread until we've got something going - thank you :slight_smile:

@joecooldoo I've had an idea on how to possibly use MQTT to "securely" store data and I wonder if you'd be able to try it out.

The basic idea is that I have my own MQTT broker and I have it setup that only I can publish to it but anyone can subscribe to topics on it - cymplecy.uk (check out cheerlights/# topic for example)

So, my plan would be to hand you out a password and give you publish rights to a topic called joecooldoo

But to do this, I'd need to get the password to you securely

Easiest is that I send it to Brian and he forwards it to you - lets see what he thinks about doing that :slight_smile:

Alternative, is to use a Diffe-Helleman key exchange

I've never tried this out but from what I've read, it would seem that we could exchange public keys here on the forum and then I'd be able to post a password for the broker that only you could decode

I wouldn't be rushing into doing all this so it might take a while to get there

Is this something your interested in trying out?

Note to Brian - I'd like to reassure you that at no stage in this process will any off-forum chat take place but if it causes you any issues in even trying it out then please just lock the thread :slight_smile:

Nah, given that it's you two I'm not worried. :~) And I do know your email addresses... But if you'd enjoy playing with DH don't let me stop you! Although I vaguely recall someone finding (and publishing) a flaw in their math that makes it crackable.

Thank you :slight_smile:

If @joecooldoo is up for this - I'll email you a password to pass onto them.

We can try out the DH bit as a separate exercise

One of my complaints is the lack of ways to verify whether a client is who they say they are.
How do you plan to overcome such problems?
I had another reason that was better than this but I forgot what I was going to say.

maybe give different users different passwords and store it in a list so that the code will ask for your name and password and verify you

I want a way to do it without user intervention, so, for example, I could make a game that finds a player and then verifies them in some way so you can play with others around the world instead of having to text your friends and ask for their passcode. Without this, someone can pretend to be a different user and spoof (for example) a username.

I did politely ask to keep the thread clean to prevent going off-topic :slight_smile:

me and @specialred where trying to do this with just mqtt and snap code
because it would take forever to secure everyone’s account with a password that is emailed

I don't think that's the path @cymplecy is taking.

I did politely ask to keep the thread clean to prevent going off-topic :slight_smile:

I get that
the way I would do it would be using a password in the topic name


I have no reason to do anything with whatever is gonna be shared here, and reguardless you can’t make me /hj

ANYWAYS you can easily make data keys by using the dev mode ‘sha64 hash” block

By giving each user their own password to a write only topic.

It's just an idea to try out to see if such a simple method would let people play multiplayer games without interference.

It might not be good enough but I thought it was worth a go to try it and I thought that you were the person for the task :slight_smile:

Why not do it the same way the web does, with async encryption?

You can use your password as the private key, and then anyone with the public key can decrypt the message, but only the person with the password can encrypt. Then, you send a randomly generated key for synchronous encryption, then you have a secure channel. (Though, man in the middle attacks can still happen.)


I'd like to assume cookie was jokingly thinking you were gonna leak our emails.

I'm not one to talk for others though, so until they answer, it is still up for speculation.

I thought they were jokingly worried he would use them

It was a joke, out of context that message looks very threatening

Following @specialred discovery of a "free" tier in their products, I'm thinking that any Snapper (as long as they can get on the site) could set up their own broker that only they could publish to certain topics but anyone else can subscribe (by setting up a public guest user/password combo with only subscribe rights)

The company is emqx.com (that provide one of the current default public broker - broker.emqx.io )
The product is their "Serverless" (I hate that word/concept nearly as much as crypto!) free tier

The one I've spun up is at x83e5931.ala.us-east-1.emqxsl.com:8084
I've set a user called guest, password guest that can subscribe to any topic (currently there is only cheerlights/# that I an publishing to)

This would completely eliminate need to exchange any passwords whatsoever :slight_smile:

Might have to tweak the MQTT extension blocks to make sure they can fully cope with multiple brokers

yes, any snapper besides me
for some reason, when trying to authorize sub-accounts on the site, i immediately get a "Bad Request" error the second i open the page
following that error, it doesn't even let me authorize any sub-accounts anyways...

however, it's good that you got your own broker for your project
while me and codegang (unless they can do it) are stuck with one of the defaults...

how are you thinking of doing that?