Java SSL Safety

Question

I have a client-server model that uses SSL on every connection. I have used Java and the common libraries to program this. I have two questions regarding the SSL safety:

1) Is it considered safe to send the password in plaintext from the client to the server? The server uses BCrypt to hash the password and store it. I have considered sending an unsalted hash of the password or a nounced hash of the password, but are they truly more safe than sending password in plaintext? I doubt it. I don't think sending the password as a salted hash is a viable option, as the salt would need to be stored somewhere in the client or send over the network, and thus I don't think it would make it inherently more safe as sending the password as plaintext. Due to SSL nobody else should be able to read it anyway, right?

2) Does encrypted data on SSL always gets encrypted to a different string, and if so, can you use an earlier encryption of a certain string to get the same result later? To clarify:

• If you encrypt data now, and a few seconds later, does it procide the same cipher text?
• If you use the cipher text from encrypting "test", can you send the same cipher text on a later moment to let the server believe that the client legitly sent "test"?

Under all circumstances the assumption should be made that I do not want to approach this from my own (client or server) perspective, but I want to approach this from a hacker/cheater's point of view.

Regards.

Answer 1

I'll answer this another way. SSL has privacy, integrity, and authentication.

1. Privacy: no-one can read the traffic.
2. Integrity: no-one can modify, inject, replay, or truncate the traffic without detection.
3. Authentication: at least one of the peers is reliably authenticated to the other.

(1) disposes of your first question. (2) disposes of your second question.