-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Technical Question] Security: Check root certificate on device-to-cloud connection #3432
Comments
Hi @SymbioticKilla. When a device connects to IoT hub, the connection will be secured for you by this SDK regardless of authentication type used. When you establish the device-to-cloud connection, both the SDK and the IoT hub will check each-other's certificates to ensure the connection is secure before sending any application data. You do not need to additionally check the device's root cert on your own. |
thank you for the answer! You have mentioned that SDK checks IoTHub(cloud) certificate. Is this article obsolete? |
From the article:
So the article is correct. The SDKs do validate the IoT Hub's certificate when establishing the connection. The article is more about if/when you should also check the intermediate certificates. Overall, the document is correct. It is more secure to check the intermediate certificates as well when establishing the connection. However, it isn't usually feasible to do that since intermediate certs can change over time and the Hub team doesn't notify you ahead of time if/when this will happen as far as I know. That means that, if you start requiring a check of the intermediate cert when connecting, you run the risk of the intermediate cert changing without your knowledge and the device being unable to connect again until you update the device's cert store. The root certificate, by comparison, is valid for the next 10+ years and the Hub team will notify you ahead of time when it will be changed. |
Thanks! Sorry for not mentioning about intermediate certifacate check in my first post. |
As far as I'm aware, the only shared property of every intermediate cert of your Hub is that it is signed by the current root certificate. That is why we generally recommend users only validate the root cert when connecting. |
@timtay-microsoft |
To be more specific, the SDK will perform a TLS handshake with IoT hub when connecting. It will vary a bit from device to device since the SDK will use whatever TLS version is configured on your device (usually version 1.2), but the broad strokes are generally the same. This document does a good job explaining what a typical TLS handshake entails for both version 1.2 and 1.3. The only point to add here is that the SDK will automatically load the trusted certificates from your device's trusted certificate store. That means you don't need to instantiate a device client instance with the Hub's root certificate to get this TLS handshake. You just need to instantiate it with your device's connection string (SAS based authentication) or with your device's private key (X509 based authentication). |
We are using X509 thumbprint authentication method. |
To be clear, when you use AMQP or MQTT, the TLS handshake that happens upon each connection will ensure that all messages sent on that connection are encrypted. HTTP is a bit different since a single connection is established per message, but each HTTP connection still does the TLS handshake to ensure that message is encrypted. |
I'm little bit confused. If SDK checks trusted CA like the browsers do, there is no possibility to issue a certificate by Let's Encrypt e.g. with the same domain. |
Hi,
I have a question about extra security check...
Do I need to secure the connection from device to my IoTHub by checking the root certificate for example?
Does it bring more security to ensure that device doesn't send any data to non-microsoft endpoint?
If yes, do you have any code example for this approach?
Thanks!
The text was updated successfully, but these errors were encountered: