0

I have a Swing application that requires to send login details to a server (written in Node.js) for verification. So far i've managed to successfully send http POST requests and get JSON objects from the server, only problem is, when sniffing with WireShark i can actually see the request body and thus the password and the username in it, so I guess thats not very secured, i don't mind the server, I'm not so sure i want a SSL connection since I dont mind about the objects returning security. my code looks something like that:

// Http members
private AsyncHttpClient asyncHttpClient = new AsyncHttpClient();

and the function to make the call itself is looks like this:

    private void login(String username, String password) throws IOException, InterruptedException, ExecutionException {

    asyncHttpClient.preparePost(LOGIN_URL).
    addFormParam("email", username).
    addFormParam("password", password).
    execute(new AsyncCompletionHandler<Response>() {

        @Override
        public Response onCompleted(Response response) {
            // do something with the response object
            return response;
        }
    });
}

As you can see nothing elaborate here.

in WireShark the request body looks like this:

Line-based text data: application/x-www-form-urlencoded email=myUserName&password=myPassword

I did try to look around and search for answers both here and other places and reading the documents but it looks like there is a simple way of doing this and I'm just missing something..

Thanks for any answer

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
Lior Naar
  • 85
  • 1
  • 9
  • Does someone knows what is the process of getting an HTTPS connection to the sever? – Lior Naar Dec 26 '15 at 15:04
  • It is dfferent question, divided by client and server parts. Server part more admin related, client part will depends on server configuration, but if server will use proper certificare and nondeprecared ciphersuites, all you need change on client side - http tp https in url. Java take care of details. – user1516873 Dec 27 '15 at 08:13
  • so what you offer is to change the configuration in the server side...? – Lior Naar Dec 27 '15 at 14:34
  • google 'how to set up https on my favorite web application server' or ask different question, comment section for clarification with current question, not for new question. – user1516873 Dec 27 '15 at 22:21

2 Answers2

1

If you don't want anyone along the line to be able to see your data, you need to encrypt it somehow.

The easiest way to encomplish this at a reasonable level of security is using a https connection. If you only care about the data, you can also try to implement some form of end-to-end encryption yourself, but this is hard to get right.

Summary: Just use https

Hulk
  • 6,399
  • 1
  • 30
  • 52
0

Things to make it more secure:

  • add Transport encryption aka HTTPS
    • attackers from outside your computer see nothing
  • send password as hash, not cleartext
    • your passwoed remains unknown to an attacker watching pre-encrypted data in your browser. But could still resend same request to gain access
  • one - time token per sms
  • ...
Jan
  • 13,738
  • 3
  • 30
  • 55
  • Thanks for the reply, if I do want to use HTTPS protocol, won't I have to change it in the server side too? What changes in my code should be done? – Lior Naar Dec 24 '15 at 12:13