The other day I noticed that if I run IEInspector's HttpAnalyser and capture the post data when logging into my bank account or amazon account the post data shows my user name and password in the clear. This is a little concerning. Does anyone know at what point the SSL encryption takes place? This I assume would mean that any software that is installed on your machine could potentially get access to this post data. Very scary.
+7
A:
Secure Socket Layer - It encrypts the data over the socket (network/internet) NOT on your local machine.
Robin Day
2010-02-11 09:11:45
+12
A:
The thing is built into your browser !! The browser is the entity encrypting the text so it will obviously have copies of both encrypted AND unencrypted text. The plugin you have shown has access to everything IE does.
If you want a true representation of what is going on use wireshark. This will read the actual network traffic being output by your browser.
Hassan Syed
2010-02-11 09:12:17
A:
SSL encryption will definitely take place before hitting the network. A packet-sniffer cannot get to the contents of request or response.
Does IEInspector run inside of IE (as a plugin)? In this case, it can probably do some pretty nasty things (but you agreed to that when you installed it).
Thilo
2010-02-11 09:14:16
No HttpAnalyser does not run in IE and I have done the same test with both Chrome and IE and the post data displayed in HttpAnalyser shows the username and password in the clear. I'd assume this would be true for all browsers.
Andrew
2010-02-11 09:19:56
You can download a trial version here http://www.ieinspector.com/httpanalyzer/download.htmlGive it a try with your favourite browser and check out the post data tab.
Andrew
2010-02-11 09:27:27
+2
A:
SSL encrypts traffic "over the wire". So it is safe between your computer and the receiving server (minus SSL vulnerabilities, like the new vulnerability just discovered - http://twit.tv/sn223).
If you have malicious software on your computer, then you are not safe anymore. And SSL cannot help you at all. A malicious software could use much more basic attacks anyway, like keylogging ...
Guillaume
2010-02-11 09:14:43
+2
A:
SSL is very secure.
I think Thilo has hit on the right answer - IEInspector appears to run under IE, not as a separate tool. I suspect that it is therefore able to display traffic before it goes through the SSL stack and leaves the browser.
You can prove this is the case by downloading a packet sniffer like Wireshark and sniffing the traffic from the network card. You'll see that the packets are in fact encrypted and your logins are not actually going out in plain text.
Paolo
2010-02-11 09:21:19
A:
As for your question about SSL, rather than the issue with seeing your uid/pwd in the browser. In short SSL is fine. There have been some very subtle attacks lately, but it's still a good protocol, especially TLS 1.0 and later (TLS is IETF's ratified SSL)
But you need to think of the threats - what issues do you want to solve with SSL? If you're worried about on-the-wire tamper detection and secrecy with server authentication then it's fine, just make sure your client and/or server do not negotiate down to weak ciphersuites, such as 40- or 56-bit RC4 or DES, or MD4 and so on.
SSL can also provide client authentication if needed, but this is optional.
As a final note. SSL is generally wwaayy better than anything you could design :)
cheers, Michael
Michael Howard-MSFT
2010-02-11 22:31:03