How does using self-signed certificate in TLS expose one to man-in-the-middle attack?

Question

I am trying to implement security in MQTT on node.js. I didn't quite understand the paragraph below.

In case mqtts (mqtt over tls) is required, the options object is passed through to tls.connect(). If you are using a self-signed certificate, pass the rejectUnauthorized: false option. Beware that you are exposing yourself to man in the middle attacks, so it is a configuration that is not recommended for production environments.

score 1 · Accepted Answer · edited May 23 '17 at 12:16

If you user rejectUnauthorized then the client will accept ANY certificate from the remote system.

Which means an attacker can create their own self signed certificate insert themselves between you and your broker and you will have no way of knowing they have.

If you use the method I mentioned in my answer to the other question you can be sure that you are connecting to the broker with your certificate

How does using self-signed certificate in TLS expose one to man-in-the-middle attack?

1 Answers1