Doubts about security in SSL communication of Sockets

Asked

Viewed 161 times

2

I wonder if this communication between the sockets is safe. From this code I can safely exchange information?

I am also doubtful to understand how the Sslcontext class works (it is not in this code).

Server

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.ServerSocket;
import java.net.Socket;

import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLServerSocketFactory;

public class MainClass extends Thread {

  public static void main(String[] args) throws Exception {
    ServerSocketFactory ssf = SSLServerSocketFactory.getDefault();
    ServerSocket ss = ssf.createServerSocket(9096);

    while (true) {
      new SSLSimpleServer(ss.accept()).start();
    }
  }
  private Socket sock;
  public SSLSimpleServer(Socket s) {
    sock = s;
  }
  public void run() {
    try {
      BufferedReader br = new BufferedReader(new InputStreamReader(sock.getInputStream()));
      PrintWriter pw = new PrintWriter(sock.getOutputStream());

      String data = br.readLine();
      pw.println("What is she?");
      pw.close();
      sock.close();
    } catch (IOException ioe) {
      // Client disconnected
    }
  }
}

Client

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.Socket;

import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;

public class MainClass {

  public static void main(String[] args) throws Exception {
    SocketFactory sf = SSLSocketFactory.getDefault();
    Socket s = sf.createSocket(args[0], Integer.parseInt(args[1]));

    BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream()));
    PrintWriter pw = new PrintWriter(s.getOutputStream());
    System.out.println("Who is Sylvia?");
    pw.println("Who is Sylvia?");
    pw.flush();
    System.out.println(br.readLine());
    s.close();
  }
}

1 answer

1

It depends on what you call "security". Note that SSL has three security-related principles: confidentiality, integrity, authenticity.

  • What confidence you have in the certificate the server is sending?
  • Does the customer accept any certificate? How will the customer determine whether he has a "man-in-the-Middle"?
  • What cryptogram is used? What minimum do you require to call "secure"?

To call an SSL connection "secure", one must have a reliable and "non-fictable" certificate (assured to the extent possible), with communication going on using secure keys, using a secure enough cryptogram not to be broken.

Examples:

  • a "self-signed" certificate does not guarantee that the server is who it says it is. Therefore, a man-in-the-Middle can easily forge the certificate.
  • communication via RC4 is considered unsafe no matter the quality of your certificate.

Now, if the question is whether the communication between client and server is taking place via SSL (regardless of the quality of the communication itself), the answer is yes. You can check with the following code:

Socket s = sf.createSocket(args[0], Integer.parseInt(args[1]));
SSLSession session = ((SSLSocket) s).getSession();
System.out.println("Criptograma: " + session.getCipherSuite());
System.out.println("Protocolo:" + session.getProtocol());
  • Yes, there are several variables. But one questions this communication as it is, the messages are being encrypted so?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.