vPilot sends credentials in clear-text

[Justin Fingerhuth]

Hi there,

I tried to connect to the network a few minutes ago, but vPilot said "invalid CID/password". So I tried to find out if this is a general message when the client cannot connect to the VATSIM servers. I started Wireshark to identify this problem because I recently had problems with my network.

I connected to a specific server (UK-1) and set a filter in Wireshark for the IP of the server and saw that all communication is not encrypted. When I decided to follow the TCP traffic, I could see everything in plain text, like UID, password and so on. All communication from vPilot to the selected server.

I expected applications to use encrypted communication in 2020. Is this an error or "works as designed"? 

I only ask because I showed it in a livestream: "how to identify problems with the connection: Your error or the error of others?", and everyone who watched could see my login details. If I had already changed my password, but, you know, it's 2020 and really everything is encrypted. Everything except the vPilot Client 😉

All the best,
Justin

Edited December 6, 2020 at 04:28 PM by Justin Fingerhuth

[Ross Carlson]

25 minutes ago, Justin Fingerhuth said:

it's 2020 and really everything is encrypted. Everything except the vPilot Client

You make it sound like I made a mistake developing vPilot.  The reality is that VATSIM runs on a 25 year old network protocol that has never been encrypted. I can't encrypt the credentials when sending them to the server if the server is expecting clear text.

[Justin Fingerhuth]

Okay, that explains it 🙂
In this case I do not open Wireshark in streams again. Thanks for your explanation ^^