this post was submitted on 18 Jul 2023
5 points (100.0% liked)

Discussions related to Infosec.pub

1128 readers
1 users here now

founded 1 year ago
MODERATORS
 

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments
[–] alex_02@infosec.pub 2 points 1 year ago

Most of the comments are misconceptions. SSL/TLS is supposed to create a tunnel on top of TCP. If implented correctly, it is supposed to connect, establish a session key, and anything going back and forth from server to client will be using the tunnel using a symmetric encryption. On client side usually your password will be sent plaintext before the server hashes it and checks against a db of hashes. Client side should not hash the password which I am fairly sure would allow pass-the-hash, but don't quote me on that. Also, there is possiblity of MITM, but it requires specific conditions and isn't like with how sslstrip or whatever was a while ago.

I'm tired so I might be wrong about some of this stuff, but The cryptography SO has a lot of questions on how SSL/TLS works and I suggest googling how TLS works.