Is my form password being passed in clear text?

2019-04-25 01:01发布

问题:

This is what my browser sent, when logging into some site:

POST http://www.some.site/login.php HTTP/1.0
User-Agent: Opera/8.26 (X2000; Linux i686; Z; en)
Host: www.some.site
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.some.site/
Proxy-Connection: close
Content-Length: 123
Content-Type: application/x-www-form-urlencoded

lots_of_stuff=here&e2ad811=my_login_name&e327696=my_password&lots_of_stuff=here

Can I state that anyone can sniff my login name and password for that site? Maybe just on my LAN?
If so (even only on LAN ) then I'm shocked. I thought using

<input type="password">

did something more than make all characters look like ' * '

p.s. If it matters I played with netcat (on linux) and made connection
browser <=> netcat (loged here) <=> proxy <=> remote_site

回答1:

Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).

type="password" only hides the character on-screen, and even other programs on your computer can read the data.

The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)



回答2:

type="password" only hides the character on-screen. If you want to stop sniffing, you need to encrypt the connection (i.e. HTTPS).



回答3:

You can either encrypt the HTTP connection via HTTPS, or there are MD5 and other hashing algorithms implemented in JavaScript that can be used client side to hash the password client side before sending it, hence stopping a sniffer being able to read your password.



回答4:

Yes, your credentials are passed in cleartext, anyone who can hear your network traffic can sniff them.



回答5:

Contents of a POST body are visible, i.e., "in the clear," if transported on a non-encrypted channel. If you wish to protect the HTTP body from being sniffed, you should do so over a secure channel, via HTTPS.