Discussions related to Infosec.pub

1229 readers

1 users here now

founded 2 years ago

MODERATORS

jerry

Passwords sent as plaintext? (self.infosecpub)

submitted 2 years ago by iamak to c/infosecpub

20 comments fedilink hide all child comments

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments

[–] clb92@kbin.social 15 points 2 years ago (12 children)

The server needs to receive your password to verify it and log you it. That's how it always is. As long as you are connecting via HTTPS, this is not a problem.

[–] iamak 3 points 2 years ago* (last edited 2 years ago) (9 children)

Why not hash it client side? Edit: Isn't SSL vulnerable to MITM attacks? (I am a noob in this field)

[–] alex_02 4 points 2 years ago (1 children)

Most of the comments are misconceptions. SSL/TLS is supposed to create a tunnel on top of TCP. If implented correctly, it is supposed to connect, establish a session key, and anything going back and forth from server to client will be using the tunnel using a symmetric encryption. On client side usually your password will be sent plaintext before the server hashes it and checks against a db of hashes. Client side should not hash the password which I am fairly sure would allow pass-the-hash, but don't quote me on that. Also, there is possiblity of MITM, but it requires specific conditions and isn't like with how sslstrip or whatever was a while ago.

I'm tired so I might be wrong about some of this stuff, but The cryptography SO has a lot of questions on how SSL/TLS works and I suggest googling how TLS works.

[–] iamak 1 points 2 years ago

I will check it out. Thanks!

load more comments (7 replies)

load more comments (9 replies)