It does but it is a major pain if you are not using a trusted cert. You have to add the CA to Java’s trust store which is a pain. I find it easier, since I run mosquitto on the same machine as OH, to set a firewall to only allow connections to port 1883 on localhost and require external connections to use 8883 with a client cert and TLS encryption.
It is possible to use SSL/TLS with a Wemos D1 based on a few seconds of google searching. However, it doesn’t buy you much by itself.
Let’s say I’m Mr. Hacker Theif and somehow I figured out you have a way to open your garage door via wifi.
First I have to crack your Wifi encryption. While not impossible, this is rather difficult right now with WPA2-PSK assuming you have patched your wifi devices in the past couple of months (there was a vulnerability discovered not too long ago). So what does it take to do that?
I can force a handshake and capture those packets. Those packets have the password in encrypted form in them. I can then go home and run a brute force attack on that captured password. Assuming you have a good SSID password this can take a very long time. If you use single dictionary words this can take seconds.
OK, I now have your password. Next, I need to actually get on your network. Now you have second line of defense because you can use MAC filtering to only allow those devices that you preapprove join your network. This isn’t a very strong defense because it is easy enough to spoof one’s MAC address, so let’s say I join the network and can now start sniffing and connecting to things.
So, now I’m on your network I start scanning around and I see a device named “Garage” or something that makes it look interesting. But I also see a machine named “openHABian”. I see that the traffic to “Garage” is encrypted but I can connect to port 8080 on the openHABian machine, which I know is home automation software because of a quick google search, and I get this nice control panel and now I can open your garage.
My point is you can’t look at security in little pieces. You must look at it holistically. In this case, if I can bring up your openHAB without authentication then all the encryption in the world will not protect your garage door opener.
Also, if I were a hacker sophisticated enough to pull this off, I’m probably going to implant a backdoor on your network and start sniffing for usernames, passwords, and other information I can use to perform identity theft. The effort is much lower, the rewards are higher, and the risks are much lower.
So, definitely work on protecting your wifi. But if you are worried about what someone can do once they get inside your network, then you need to look at it holistically. You need to secure EVERYTHING. Securing piece parts is not going to do much for you.
See above. Hardwired does not guarantee security.