Doubts about security in Sockets SSL communication

2

I wonder if this communication between sockets is secure. From this code can I exchange information securely?

I'm also sure to understand how the SSLContext class works (it's not in that code).

Server

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.ServerSocket;
import java.net.Socket;

import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLServerSocketFactory;

public class MainClass extends Thread {

  public static void main(String[] args) throws Exception {
    ServerSocketFactory ssf = SSLServerSocketFactory.getDefault();
    ServerSocket ss = ssf.createServerSocket(9096);

    while (true) {
      new SSLSimpleServer(ss.accept()).start();
    }
  }
  private Socket sock;
  public SSLSimpleServer(Socket s) {
    sock = s;
  }
  public void run() {
    try {
      BufferedReader br = new BufferedReader(new InputStreamReader(sock.getInputStream()));
      PrintWriter pw = new PrintWriter(sock.getOutputStream());

      String data = br.readLine();
      pw.println("What is she?");
      pw.close();
      sock.close();
    } catch (IOException ioe) {
      // Client disconnected
    }
  }
}

Customer

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.Socket;

import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;

public class MainClass {

  public static void main(String[] args) throws Exception {
    SocketFactory sf = SSLSocketFactory.getDefault();
    Socket s = sf.createSocket(args[0], Integer.parseInt(args[1]));

    BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream()));
    PrintWriter pw = new PrintWriter(s.getOutputStream());
    System.out.println("Who is Sylvia?");
    pw.println("Who is Sylvia?");
    pw.flush();
    System.out.println(br.readLine());
    s.close();
  }
}
    
asked by anonymous 13.08.2015 / 03:33

1 answer

1

Depends on what you call "security." Note that SSL has three security-related principles: confidentiality, integrity, authenticity.

  • What confidence do you have in the certificate that the server is sending?
  • Does the customer accept any certificates? How will the customer determine if they do not have a "man-in-the-middle"?
  • What is the cryptogram used? What is the minimum you require to call "secure"?

To call a "secure" SSL connection, you must have a trusted and "non-forge" certificate (ensured as far as possible), with communication happening using secure keys, using a cryptogram secure enough not to be broken.

Examples:

  • A self-signed certificate does not guarantee that the server is who it says it is. So a man-in-the-middle can easily forge the certificate.
  • A communication via RC4 is considered unsafe, regardless of the quality of your certificate.

Now, if the question is whether the communication between the client and server is occurring via SSL (regardless of the quality of the communication itself), the answer is yes. You can check with the following code:

Socket s = sf.createSocket(args[0], Integer.parseInt(args[1]));
SSLSession session = ((SSLSocket) s).getSession();
System.out.println("Criptograma: " + session.getCipherSuite());
System.out.println("Protocolo:" + session.getProtocol());
    
14.08.2015 / 14:26