but I can't understand how it works with registration
Ah well that's another story, but you didn't mention it earlier.
No for registration it won't work. Plain and simple. This is a system for protecting a login where both party (client and server) know the password.
If you need an highly secure registration system I would simply recommend to use a webpage running HTTPS (+ Certificate)
You can either use your own web-server or the embedded Jetty instance coming with SFS2X
However you should also consider another point:
if the registration process is handled via extension code the password will travel "in clear" to the server.
This is not entirely true because the protocol is binary and with compression you just see a meaningless stream of bytes. So first step for the hacker is reverse engineer the protocol. No big deal, supposing the malicious user is a geek.
Good, but the thief now needs to hijack the persistent socket connection of the registering User in order to spy on its network data... right?
So, let's say I am at home in front of my desktop typing my data for the registration form. You are in your underground secret lab trying to obtain my password. How do you proceed with that?
Do you send me a trojan that allows you to monitor my network?
Let's say I am fool enough to click the exe and I have no antivirus.
If you could do that you could already monitor my keyboard and grab everything I write including maybe my bank account login, credi card number etc...
Additionally the trojan will probably even allow you to grab any files from my HD.
Or, let's exclude the trojan.
You park your car around the corner of my house, fire up your Linux laptop and run a brute-force attack on my router in order to break in and grab all my data.
See what I want to say?
Of course if you want the simple answer, I will say HTTPS request.
But if we go a little more in the details I would say that in general it's not as easy as it seems to spy over a connection.
My 0.02