Hacker News new | past | comments | ask | show | jobs | submit login

You (and a lot of others) forgot the most important need -- security. It seems almost every iot device out there is easily hacked.

Maybe a web implementation with all it's built in protections really is the most pragmatic solution even if it isn't light weight.

I think a safe language like SML/ocaml, erlang, or rust (each with various performance/productivity tradeoffs) is a better solution if we can get a secure framework on top.

MQTT and CoAP both support TLS. With TLS 1.2 you've got elliptic ciphers which puts it in reach of small embedded devices. So TLS with server certificates are enough to ensure confidentiality and server authenticity.

Client certificates can cover the client auth side although there are gotchas:

(1) dealing with revocation is more difficult as devices can more easily become compromised (physical access = extracting keys from flash/RAM.)

(2) assume a vendor issues a unique client cert on every device, and the chain reaches a CA. For multi-tenant cloud vendors, you still need to figure out which e.g. Philips Hue bulb is Bob's when Bob logs into his cloud portal. So there's a pairing issue that usually requires a one-time-pad or similar. Right now everyone does that differently.

Agreed, that goes to my comment about transportation vs. application layer. Transport security is just one small part of IoT security, of course. It is not a solved problem, but there are a lot of best practices that just aren't addressed most of the time.

To put it another way: Mozilla proposal needs to work with _multiple_ security models. They won't get there overnight.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact