Encryption on Passwords provided through Post Requests

views:

answers:

+1 Q:

Encryption on Passwords provided through Post Requests

I've been learning about networks and have been logging the post requests I make in firefox using LiveHttpHeaders. What is interesting is that when I log into sites, with or without https, the Post request which gets submitted includes my username and password in plain text! Isn't this dangerous in the case that a system administrator keeps logs of all network requests or if someone is listening on a wireless network? I've tried this on gmail as well as other sites. I would have thought that the people at google already thought of this problem, so am I forgetting something? Wouldn't it be wiser to encrypt on client side as well to overcome this possible security hole?

Here is the content block for a sample post request ( I have replaced my actual username and password with USER and PASS) for obvious reasons.

ltmpl=default&ltmplcache=2&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3F&service=mail&rm=false&dsh=8406886653173005655&ltmpl=default&hl=en&ltmpl=default&scc=1&ss=1&GALX=4EQjnPdWBb0&Email=USER&Passwd=PASS&rmShown=1&signIn=Sign+in&asts=

This is kind of off-topic, you might be better asking on a security mailing list or similar.

But i think your confusion is that the program you're using to track the information is decrypting the SSL session (assuming there is one). What your asking about ("client side encryption") is pretty much done by SSL. You might want to take a look into the subject.

Noon Silk 2010-07-14 02:09:59

When you submit information over an SSL-secured connection, only a party privy to the private key for the server with which you are communicating can read the data you submit.

So, although to you your username and password appear plain-text, this is because you are sniffing them before they are encrypted.

If you want to see what an SSL connection really looks like, put a packet dumper in between the client and server. Not running on either machine. Such a packet dumper will see a stream of encrypted, unreadable data.

Borealid 2010-07-14 02:22:45

A process encrypts the data **before sending**, and decrypts **after receiving**. Your last paragraph would make sense only if the network device were responsible for the encryption.

jweyrich 2010-07-14 03:27:46

@jweyrich: no, read again. If you put something on the network in between the client and the server, you get a view of what the packets look like to a real attacker.

Borealid 2010-07-14 05:32:30

@Borealid: maybe I didn't understood what you meant by "Not running on either machine". If you're saying that one must run the sniffer in a different computer in order to see the encrypted traffic, it's not needed - you can run it on the same computer.

jweyrich 2010-07-14 06:45:01

@jweyrich: The reason I said it shouldn't be running on the same machine is to avoid situations like VPN interfaces. For instance, if you listen on your outbound if, you will be able to see IPSec traffic in the clear because the kernel doesn't encrypt it until later in the stack. The only way to be sure you're seeing a real picture is to stand where the outsiders would.

Borealid 2010-07-14 06:47:00

@Borealid: ah okay. Thank you for the clarification, even though I don't see any mention to VPN. I should've considered it :-)

jweyrich 2010-07-14 07:50:32

ansaurus

tags:

views:

answers:

Encryption on Passwords provided through Post Requests

related questions