Jump to content

You're browsing the 2004-2023 VATSIM Forums archive. All content is preserved in a read-only fashion.
For the latest forum posts, please visit https://forum.vatsim.net.

Need to find something? Use the Google search below.

vPilot sends credentials in clear-text


Justin Fingerhuth
 Share

Recommended Posts

Justin Fingerhuth
Posted
Posted (edited)

Hi there,

I tried to connect to the network a few minutes ago, but vPilot said "invalid CID/password". So I tried to find out if this is a general message when the client cannot connect to the VATSIM servers. I started Wireshark to identify this problem because I recently had problems with my network.

I connected to a specific server (UK-1) and set a filter in Wireshark for the IP of the server and saw that all communication is not encrypted. When I decided to follow the TCP traffic, I could see everything in plain text, like UID, password and so on. All communication from vPilot to the selected server.

I expected applications to use encrypted communication in 2020. Is this an error or "works as designed"? 

I only ask because I showed it in a livestream: "how to identify problems with the connection: Your error or the error of others?", and everyone who watched could see my login details. If I had already changed my password, but, you know, it's 2020 and really everything is encrypted. Everything except the vPilot Client 😉

All the best,
Justin

Edited by Justin Fingerhuth
Link to comment
Share on other sites

Ross Carlson
Posted
Posted
25 minutes ago, Justin Fingerhuth said:

it's 2020 and really everything is encrypted. Everything except the vPilot Client

You make it sound like I made a mistake developing vPilot. :classic_biggrin: The reality is that VATSIM runs on a 25 year old network protocol that has never been encrypted. I can't encrypt the credentials when sending them to the server if the server is expecting clear text.

Developer: vPilot, VRC, vSTARS, vERAM, VAT-Spy

Senior Controller, Boston Virtual ARTCC

Link to comment
Share on other sites

Justin Fingerhuth
Posted
Posted

Okay, that explains it 🙂
In this case I do not open Wireshark in streams again. Thanks for your explanation ^^

Link to comment
Share on other sites

 Share