Safest communication method between applications on same machine

Question

What is the safest communication method between two applications on the same machine, both Java and C/C++ clients with a Java server.

Are SSL sockets safe enough or they can be broken by "man in the middle" attacks?

The main concern here is how the clients can trust the local server?

Would introducing a remote server improve the security of the local communication and how can this be achieved?

Answer 1

You need to elaborate your threat model. It's a general truism that anyone with physical access to your hardware, motivation and sufficient time will be able to subvert anything. This goes double if that attacker happens to be an admin on the server.

And yes, anything that is in your code is readable with admin access. You can try clever tricks like encrypting or obfuscating a password stored in binaries/JAR files, but this is a hindrance, not an absolute barrier.

Again, on the other side, there are no absolute barriers for confidentiality, merely more or less efficient obstructions. Whatever your measure, whatever the strength of your encryption and key management, with enough time and incentives, anything will yield. Which returns us to my first point: what is your threat model (what attacks do you wish to protect against); how much are your protected assets worth; and whom and what do you trust?

Answer 2

Safe from what? If an attacker has root, they can subvert system calls and spy on memory buffers before encryption and after decryption, and nothing you can do is safe.

If an attacker does not have root, they can't see this information even if you don't encrypt it.

So I don't see a point to this.