I've read that using http over SSL requires buying an SSL certificate from a certification authority. Since I can't afford such expense, I thought of using a strong and reliable encryption on both client and server side, but unfortunately this is not sufficiently secure, given that packages can easily be intercepted hence decrypted.
Any suggestions on how to remedy this ?
Where are you buying your SSL certificate? If you don't want all the crazy security signing features (think Verisign), then you can get certificates at a very reasonable price at domainz4less.com.
Don't want to pay at all? You can create your own self signed certificate. Just be warned that browsers will realize it's self signed and warn the user that the site may be insecure, often forcing the user to say "yes, I really want to view this page".
You can use an SSL certificate that is not signed by any certification authority -- and it will cost you nothing ; communictations between the client and the server will still be encrypted.
Only thing is your users will get a warning saying something like "this website is using a certificate that is not authentified ; do you want to continue ?"
Not necessarily nice for end-users, but perfectly OK if your application is not for general-public, for instance.
SSL Certificates (for a single domain) are $30 a year at GoDaddy.
I find it hard to image that whatever you have to protect isn't worth more than $3 a month.
Buy the SSL certificate.
If you don't need to have a certificate signed by a recognized CA (which you generally only need if you're securing a web application for the general public), have a look at OpenSSL. Also look at this tutorial on generating self-signed certificates with OpenSSL.
If your application is a web app targeting consumers, you'll need to purchase a cert from a recognized CA.