What’s the difference between MQTT and MQTTS?
MQTT is a widely used network protocol in IoT for sending messages between devices and a server, and MQTTS is the secured version of this protocol.
Unfortunately, the added security from MQTT to MQTTS requires more traffic and drains device batteries quicker.
By using an Onomondo TLS Connector, we can have the device use MQTT which Onomondo transforms into MQTTS in the Core Network, using less traffic and reducing power consumption!
For this example, I use the mqtt module for Node.js, but you should be able to replace it with any other implementation for your language. I also use test.mosquitto.org as the test MQTT server.
Table of Contents
An example with MQTTS
This is a basic example on how to use MQTTS to connect:
const fs = require('fs')
const mqtt = require('mqtt')
const ca = fs.readFileSync('./mosquitto.org.crt').toString()
const client = mqtt.connect('mqtts://test.mosquitto.org:8883', { ca })
client.on('message', (topic, payload) =>
console.log(`[messaged received] topic=${topic} payload=${payload.toString()}`)
)
client.on('connect', () => {
console.log('[connected]')
client.subscribe('helpomondo/testing', () =>
client.publish('helpomondo/testing', 'Hello from device')
)
})Note that you need to have the mosquitto.org.crt on your device.
I used the Onomondo’s Traffic Monitor to capture the packets going to/from the device, but you can also use Wireshark. When I ran this example, this little example used 3.6 KB. Most of it is used establishing the secure connection.
Let’s see how we can do it more efficiently with a TLS connector.
Setting up the TLS connector
Now it’s time to create a new connector in the Onomondo App. For this example, we need to set the host as test.mosquitto.org, port to 8883, and put the contents of mosquitto.org.crt into the connector setup. We also add two passthrough rules to pass all UDP and ICMP packets directly to the internet.
With this setup, all TCP traffic going out from your device (no matter which ip/host it’s supposed to go to) will go to test.mosquitto.org:8883 and Onomondo creates a TLS connection to that endpoint.
Your setup in Onomondo should look similar to this:
Now find your SIM on the SIMs page in the Onomondo App, and edit it by set the connector to the one we’ve just created.
The result should look something like this:
Example with MQTT
Let’s go back to the code example and set it up to only use MQTT and not MQTTS.
const fs = require('fs')
const mqtt = require('mqtt')
const client = mqtt.connect('mqtt://test.mosquitto.org:8883')
// Notice how we went from `mqtts://` to `mqtt://` and removed the `ca`
client.on('message', (topic, payload) =>
console.log(`[messaged received] topic=${topic} payload=${payload.toString()}`)
)
client.on('connect', () => {
console.log('[connected]')
client.subscribe('helpomondo/testing', () =>
client.publish('helpomondo/testing', 'Hello from device')
)
})So it’s very similar to before, except a few key things. The protocol is now mqtt and not mqtts. We also removed the ca certificate file.
I used the Traffic Monitor to capture packets going to/from device again.
This example now uses 1.1 KB instead of the original 3.6 KB, a saving of over 69%.
Benefits of using a TLS connector
Saves on data cost
- Less data transferred.
- In this example we went from ~3.6 KB to ~1.1 KB.
Saves on battery usage
- The radio module can save battery by not having to transfer as many packets.
- Read a white paper on how Connectors save data and battery consumption.
No encryption on the device
- Saves on battery usage by not having to handle encryption.
- No or less keys or certificates on the device that might need to be updated.
- Communication to and from devices to the network is still encrypted using cellular standards.
Is this still secure?
A little-known fact about telco is that the traffic is actually secure from your device until it hits your provider.
A SIM card mostly contains keys which are one end encryption, and the matching keys are on the providers side.
That means that traffic is always encrypted until it gets to your provider (i.e. Onomondo), but then it goes on the Internet.
Since most providers just pass traffic on to the Internet, you typically need to encrypt traffic on devices, an expensive process.
By using a TLS connector, Onomondo makes sure that there is an encrypted connection between Onomondo and your endpoint.
So, to sum up, cellular traffic is already encrypted between device and provider. Then by adding a TLS connector, the traffic is encrypted between Onomondo and your endpoint.
One extra little bonus
Remember how I mentioned that all TCP traffic going out of the device went to test.mosquitto.org:8883?
This actually means we no longer have to look up test.mosquitto.org on the device. So we can remove that hostname from our example and save that lookup for even more optimization!
...
const client = mqtt.connect('mqtt://1.2.3.4')
// Notice how we removed the hostname. There's only an ip address now.
...How to debug with the MQTT Explorer
To help testing this, I found it very helpful to use MQTT Explorer. Then you can subscribe to helpomondo/testing and see if the device behaves as expected.
Happy testing!
