I'm using the MSOM device which has Wifi, cellular, and eventually satellite connectivity. I'm also eyeing the new cellular and ethernet board which is supposed to debut this month. However, I have some questions about security and cost. It is my understanding that TLS/SSL authentication is unavailable/impractical to implement on particle devices. Given that, our only recourse for security is to trust Particle and rely on their webhook interface. This seems intuitive when using cellular or satelite, but how does this work on wifi or ethernet? Can I still use particle publish? If so, the data would still be unencrypted leaving my device on it's way to the particle servers. Do we incur a charge for using webhooks without a cellular/satelite data connection? How can I maintain absolute security regardless of transmission method while minimizing cost in the simplest way possible?
The Particle cloud connection is encrypted using DTLS (datagram TLS) with a session key. The session key is generated at least every 3 days using RSA public-private key pairs to mutually authenticate both sides.
All Particle features like publish, subscribe, functions, variables, and OTA updates are done over this connection, which uses CoAP over DTLS, so all of these are secured the same way. This is also independent of the underlying transport.
Things like publish are measured in data operations. You have a fixed number of data operations based on your account tier. Data operations are measured the same regardless of connectivity type for terrestrial connections (cellular, Wi-Fi, Ethernet).
Egress, including webhooks, do not incur any fees and are the recommended way to interact with external services.
Thank you for the quick reply. Ok, can you confirm that all of the following statements are true then?
- particle.publish() is always encrypted regardless of transmission method (Wifi, ethernet, cellular, satellite)
- Using particle.publish() always incurs a cost EVEN OVER WIFI/ETHERNET as it counts against my data operations limit.
- Using the HttpClient library allows me to send data over Wifi/Ethernet without incurring any cost whatsoever, but I sacrifice security due to the lack of TLS/SSL support.
- Using the HttpClient library over Cellular/Satellite WILL incur a cost as it counts against my data operations limit, and also sacrifices security due to the lack of TLS/SSL support.
- Correct, Publish, subscribe, function, variable, and OTA are always encrypted regardless of transport.
- Correct. Each Particle.publish uses 1 data operation for up to 1024 bytes of payload, and 1 additional data operation for each additional 1K, up to the maximum of 16K for an event, for any terrestrial connection method.
- Correct.
- For cellular there are actually two limits, a cellular data limit and a data operations limit, and bypassing the Particle cloud will count against your cellular data limit, but in either case for the basic plan, you'd end up using more blocks. Satellite is special; you cannot bypass the Particle cloud because TCP over satellite is not supported.
There is a 3rd party library to do TLS, but each TLS connection can use up to 5K of data for authentication, and this will add up very quickly over cellular. The Particle DTLS connection is resumable so it does not need to reauthenticate on every reconnection, such as after waking up from sleep mode.
Understood. Thank you! So it sounds like I need to use particle.publish() for all cellular/satellite connections. However, for wifi/ethernet where I have essentially unlimited bandwidth, I would love to do TLS on the device and bypass the particle.publish() data operations limit. Can you please point me to the 3rd party TLS library you mentioned so I can implement that?
Thank you! I appreciate the help!