Page History

The javax.net.ssl.SSLSocket class must be used instead of the java.net.Socket socket class when transferring sensitive data over insecure communication channels. The class SSLSockets provides security protocols such as SSL/TLS to ensure that the channel is not vulnerable to eavesdropping and malicious tampering.

...

It is also important to use SSL for secure Remoteremote Methodmethod Invocationinvocation (RMI) communications because RMI depends on object serialization and serialized data must be safeguarded in transit. Gong et al. \[[Gong 2003|AA. Bibliography#Gong 03]\] describe how to secure RMI communications using {{SSLSockets}}.

Note that this rule makes no assumptions about the integrity of the data being sent down a socket. For information about securiting ensuring data integrity, see SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary.

...

Note that the sockets are closed in accordance with ERR05-J. Do not let checked exceptions escape from a finally block. While merely printing close exceptions is frowned upon, the exceptions may be suppresed suppressed as per ERR00-EX0 of ERR00-J. Do not suppress or ignore checked exceptions.

...

MSC00-EX0: Because of the mechanisms that SSLSockets provide to ensure the secure transfer of packets, significant performance overhead may result. Regular {Socket}}s sockets are sufficient if:

• The data being sent over the socket is not sensitive
• The data is sensitive, but properly encrypted. See SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary for more information.
• The network path of the socket never crosses a trust boundary. This could happen if, for example, the two endpoings of the socket are within a local network and the entire network is trusted.

Risk

...

Assessment

Using plain sockets instead of SSLSockets means that the data's confidentiality and integrity is not guaranteed.

...

...