Discussions related to Infosec.pub

1121 readers

1 users here now

founded 1 year ago

MODERATORS

[email protected]

Passwords sent as plaintext? (infosec.pub)

submitted 1 year ago by [email protected] to c/[email protected]

23 comments fedilink hide all child comments

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 4 points 1 year ago (1 children)

Most of the comments are misconceptions. SSL/TLS is supposed to create a tunnel on top of TCP. If implented correctly, it is supposed to connect, establish a session key, and anything going back and forth from server to client will be using the tunnel using a symmetric encryption. On client side usually your password will be sent plaintext before the server hashes it and checks against a db of hashes. Client side should not hash the password which I am fairly sure would allow pass-the-hash, but don't quote me on that. Also, there is possiblity of MITM, but it requires specific conditions and isn't like with how sslstrip or whatever was a while ago.

I'm tired so I might be wrong about some of this stuff, but The cryptography SO has a lot of questions on how SSL/TLS works and I suggest googling how TLS works.

[–] [email protected] 1 points 1 year ago

I will check it out. Thanks!