{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 该账号已被封号 的问题《Is this correct? Should firebug see SSL-protected》','https://www.manongdao.com/q-1365222.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have enabled SSL and I am doing a jQuery AJAX post request and sending some fields to the server.
When I look at the AJAX post request through firebug under the post parameters I see all the fields in clear text.
So this means I can see the passwords in clear text. Is this normal? I am also looking at it with fiddler and it does not even log this AJAX request(so its like the request was never made).
So is it just because firebug is installed in the browser and can capture it or what?
ssl enables security when the data moves from browser to web sever. Firebug is a browser plugin, it knows everything in the DOM tree. I think it makes sense for firebug display the input fields and form data.
Yes, you can see the field data because FireBug is capturing the requests inside Firefox before they're encrypted. If you inspect the actual network traffic with a protocol analyzer like Wireshark you'll see that it's encrypted.
Off the top of my head I would think that Firebug is showing you exactly what is being sent. Otherwise it would mean that it is somehow decode encoded information.
If you really want to confirm this, use a tool which can capture the web traffic outside of the browser. Tcpdump for example.
"So this means I can see the passwords in clear text. Is this normal?"
Yup. The data resides on your browser, that is - the user agent, and is captured before it is communicated to the server. Any encryption operation is vulnerable to sniffing at the point at which the value enters the closed system. That's why if your machine is compromised (say, by malware) very little will help.