{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Root(大扎) 的问题《How safe is it to send a plain text password using》','https://www.manongdao.com/q-1188239.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Maybe the title is badly phrased but couldn't think of a better way of saying it.
I am working on a login system at the moment (nothing formal, just experimenting) and was planning on using PHPLiveX (an AJAX library) for some features. Basically you create some PHP functions which are then called via JavaScript. You can add parameters (getElementById) to the JavaScript that are transfered to the PHP function.
What I really wanted to know is whether it is safe to just call the function from JavaScript without encrypting the password first, then letting the PHP function encrypt it (SHA256 in this case). Can the data transfered via AJAX be intercepted? If so how likely is this?
It isn't safe. Don't send unencrypted passwords. It's very likely that they will be intercepted at some point you will have a major problem.
Here is a video example of capturing a telnet password. Telnet sends in plain text and this nicely illustrates the major problem you have if you even think of doing this. Any two bit script kiddie can snag a plain text password faster than you can so "Oh my God, where did my database go?"
AJAX calls are just plain HTTP request.
It behaves like ordinary HTTP request and also comes with all the advantage and disadvantage of it. It is not any safer.
To make your AJAX calls safe, there are several ways you can try:
No more-or-less safe than a normal HTTP POST request issued by a browser (as in from a
<form>)The "fix" for this is the same "fix" for non-AJAX requests - use SSL.
As already mentioned, SSL is the best solution here. However, you could hash the password on the client side. If you google for it, you'll find plenty of javascript implementations of md5.
Yes it can be read. Just like everything else without some kind of layer of security (See SSL)
To see it yourself run a tool like WireShark as you do your AJAX commands.
How likely? Not very, but the user's password will probably be saved in someone's log files in plain text. If someone eventually found it, then it could be bad news. Back in college, my networking class had access to some (semi) fancy routers. We had assignments where we signed up for accounts on random websites. As we did this, we noticed some very scary things on the log files in the routers. This was an eye opener for me to think about how every communication is tracked and most likely logged somewhere.
This is just as safe as having a login form that is not SSL secured be sent over the wire, like almost all forums out there do!