This is what my browser sent, when logging into some site:
POST http://www.some.site/login.php HTTP/1.0
User-Agent: Opera/8.26 (X2000; Linux i686; Z; en)
Host: www.some.site
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.some.site/
Proxy-Connection: close
Content-Length: 123
Content-Type: application/x-www-form-urlencoded
lots_of_stuff=here&e2ad811=my_login_name&e327696=my_password&lots_of_stuff=here
Can I state that anyone can sniff my login name and password for that site?
Maybe just on my LAN?
If so (even only on LAN ) then I'm shocked. I thought using
<input type="password">
did something more than make all characters look like ' * '
p.s. If it matters I played with netcat (on linux) and made connection
browser <=> netcat (loged here) <=> proxy <=> remote_site
Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).
type="password" only hides the character on-screen, and even other programs on your computer can read the data.
The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)
type="password" only hides the character on-screen. If you want to stop sniffing, you need to encrypt the connection (i.e. HTTPS).
You can either encrypt the HTTP connection via HTTPS, or there are MD5 and other hashing algorithms implemented in JavaScript that can be used client side to hash the password client side before sending it, hence stopping a sniffer being able to read your password.
Yes, your credentials are passed in cleartext, anyone who can hear your network traffic can sniff them.
Contents of a POST body are visible, i.e., "in the clear," if transported on a non-encrypted channel. If you wish to protect the HTTP body from being sniffed, you should do so over a secure channel, via HTTPS.