REQUEST TO OTHER SNAPPERS - Please keep off this thread until we've got something going - thank you
@joecooldoo I've had an idea on how to possibly use MQTT to "securely" store data and I wonder if you'd be able to try it out.
The basic idea is that I have my own MQTT broker and I have it setup that only I can publish to it but anyone can subscribe to topics on it - cymplecy.uk (check out cheerlights/# topic for example)
So, my plan would be to hand you out a password and give you publish rights to a topic called joecooldoo
But to do this, I'd need to get the password to you securely
Easiest is that I send it to Brian and he forwards it to you - lets see what he thinks about doing that
Alternative, is to use a Diffe-Helleman key exchange
I've never tried this out but from what I've read, it would seem that we could exchange public keys here on the forum and then I'd be able to post a password for the broker that only you could decode
I wouldn't be rushing into doing all this so it might take a while to get there
Is this something your interested in trying out?
Note to Brian - I'd like to reassure you that at no stage in this process will any off-forum chat take place but if it causes you any issues in even trying it out then please just lock the thread
Nah, given that it's you two I'm not worried. :~) And I do know your email addresses... But if you'd enjoy playing with DH don't let me stop you! Although I vaguely recall someone finding (and publishing) a flaw in their math that makes it crackable.
One of my complaints is the lack of ways to verify whether a client is who they say they are.
How do you plan to overcome such problems?
I had another reason that was better than this but I forgot what I was going to say.
I want a way to do it without user intervention, so, for example, I could make a game that finds a player and then verifies them in some way so you can play with others around the world instead of having to text your friends and ask for their passcode. Without this, someone can pretend to be a different user and spoof (for example) a username.
me and @specialred where trying to do this with just mqtt and snap code
because it would take forever to secure everyone’s account with a password that is emailed
Why not do it the same way the web does, with async encryption?
You can use your password as the private key, and then anyone with the public key can decrypt the message, but only the person with the password can encrypt. Then, you send a randomly generated key for synchronous encryption, then you have a secure channel. (Though, man in the middle attacks can still happen.)
Following @specialred discovery of a "free" tier in their products, I'm thinking that any Snapper (as long as they can get on the site) could set up their own broker that only they could publish to certain topics but anyone else can subscribe (by setting up a public guest user/password combo with only subscribe rights)
The company is emqx.com (that provide one of the current default public broker - broker.emqx.io )
The product is their "Serverless" (I hate that word/concept nearly as much as crypto!) free tier
The one I've spun up is at x83e5931.ala.us-east-1.emqxsl.com:8084
I've set a user called guest, password guest that can subscribe to any topic (currently there is only cheerlights/# that I an publishing to)
This would completely eliminate need to exchange any passwords whatsoever
Might have to tweak the MQTT extension blocks to make sure they can fully cope with multiple brokers
yes, any snapper besides me
for some reason, when trying to authorize sub-accounts on the site, i immediately get a "Bad Request" error the second i open the page
following that error, it doesn't even let me authorize any sub-accounts anyways...
however, it's good that you got your own broker for your project
while me and codegang (unless they can do it) are stuck with one of the defaults...