Developing a chat application sniffing user's conversation

on

 

Basics: CIA triad

If you already know what this is, skip this section. If not, what this is a conceptual model of the security of the system that guides us to develop a secure application.

Confidentiality: protection of sensitive data from unauthorized access or disclosure

Integrity: maintaining accuracy and reliability of data 

Availability: ensures that information and resources are accessible to authorized users when needed

Which of the CIA triad does Encryption support?

Encryption protects the sensitive data from unauthorized access so it supports Confidentiality. However it does not support the integrity of the data because although the text is encrypted, it can be modified to something else, therefore we would not be able to verify the origin of the text. Certificate on the other hand allows us to verify the Integrity of the message. We will explore the integrity verification in a different post.

Plain text routed on the internet (example)

So since we now know what encryption is, lets look at how the plain text data looks when it's transmitted over the internet. We will use the chat application that we are developing in this example. Aside from that we will use tcpdump, wireshark and hexdump. Tcpdump allows you sniff packets on the interface. Wireshark allows you to visualize the packets. And hexdump allows you convert the dumped objects into characters.
I started up the chat server on localhost (127.0.0.1) then I connected two users to the chat like this below

Then I started my tcpdump in lo interface:  tcpdump -i lo -w unsecure.dump

Then I start sending messages to each other like below:



Now lets look at the packets we sniffed by opening it up with wireshark: wireshark unsecure.dump


As you can see here we can see that the message can be easily read. 

You can even see it by running: hexdump unsecure.dump -C


Here you can see the message.

In the next post, I will show you how you can mitigate this problem with End-To-End encryption (E2E) encryption

Comments

Post a Comment