If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?What is the interest of Reverse Proxy?Anonymous proxy over SSLMan-in-the-middle Blue Coat proxy SSL or what?SSL Communication and ProxyProblems with intermediate SSL certificates and SSL proxyReverse Proxy SSLReverse Proxy SSL containerData exposed through campus proxyIf a computer is connected to a proxy, will all outgoing traffic go through that proxy?SSL Proxy as a man in the middle

Compaq Portable vs IBM 5155 Portable PC

Did 20% of US soldiers in Vietnam use heroin, 95% of whom quit afterwards?

My players want to grind XP but we're using milestone advancement

Why would Ryanair allow me to book this journey through a third party, but not through their own website?

How to ignore kerning of underbrace in math mode

Apt - strange requests to d16r8ew072anqo.cloudfront.net:80

Why do Russians almost not use verbs of possession akin to "have"?

Python program to take in two strings and print the larger string

Why most published works in medical imaging try reducing false positives?

Is it legal to meet with potential future employers in the UK, whilst visiting from the USA

Why does Mjolnir fall down in Age of Ultron but not in Endgame?

Could a 19.25mm revolver actually exist?

Is Jon Snow the last of his House?

Efficient Algorithm for the boundary of a set of tiles

Why does this if-statement combining assignment and an equality check return true?

Remove CiviCRM and Drupal links / banner on profile form

Defining the standard model of PA so that a space alien could understand

Need to read my home electrical meter

Best material to absorb as much light as possible

Find the three digit Prime number P from the given unusual relationships

Which European Languages are not Indo-European?

Does this strict reading of the rules allow both Extra Attack and the Thirsting Blade warlock invocation to be used together?

What is a Power on Reset IC?

Of strange atmospheres - the survivable but unbreathable



If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?


What is the interest of Reverse Proxy?Anonymous proxy over SSLMan-in-the-middle Blue Coat proxy SSL or what?SSL Communication and ProxyProblems with intermediate SSL certificates and SSL proxyReverse Proxy SSLReverse Proxy SSL containerData exposed through campus proxyIf a computer is connected to a proxy, will all outgoing traffic go through that proxy?SSL Proxy as a man in the middle






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








22















Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.



I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.



It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:



enter image description here



Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?



Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?



Are my assumptions true and if they are, what should I do about it?






authentication proxy websites







share|improve this question









New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • 8





    But how would anyone capture this without installing the root certificate on your phone first?

    – Luc
    May 17 at 13:15






  • 42





    Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.

    – MechMK1
    May 17 at 13:16











  • @Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.

    – K.Vovk
    May 17 at 13:16












  • @MechMK1 got it. Was in a hurry, sorry.

    – K.Vovk
    May 17 at 13:17






  • 4





    note that you can view the same info with the browser's built-in developer tools.

    – dandavis
    May 17 at 18:10

















22















Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.



I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.



It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:



enter image description here



Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?



Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?



Are my assumptions true and if they are, what should I do about it?






authentication proxy websites







share|improve this question









New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • 8





    But how would anyone capture this without installing the root certificate on your phone first?

    – Luc
    May 17 at 13:15






  • 42





    Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.

    – MechMK1
    May 17 at 13:16











  • @Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.

    – K.Vovk
    May 17 at 13:16












  • @MechMK1 got it. Was in a hurry, sorry.

    – K.Vovk
    May 17 at 13:17






  • 4





    note that you can view the same info with the browser's built-in developer tools.

    – dandavis
    May 17 at 18:10













22












22








22


2






Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.



I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.



It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:



enter image description here



Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?



Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?



Are my assumptions true and if they are, what should I do about it?






authentication proxy websites







share|improve this question









New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.



I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.



It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:



enter image description here



Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?



Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?



Are my assumptions true and if they are, what should I do about it?






authentication proxy websites




authentication proxy websites






share|improve this question









New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited May 18 at 21:36









Charles Duffy

30729




30729






New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked May 17 at 13:08









K.VovkK.Vovk

11314




11314




New contributor



K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









  • 8





    But how would anyone capture this without installing the root certificate on your phone first?

    – Luc
    May 17 at 13:15






  • 42





    Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.

    – MechMK1
    May 17 at 13:16











  • @Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.

    – K.Vovk
    May 17 at 13:16












  • @MechMK1 got it. Was in a hurry, sorry.

    – K.Vovk
    May 17 at 13:17






  • 4





    note that you can view the same info with the browser's built-in developer tools.

    – dandavis
    May 17 at 18:10












  • 8





    But how would anyone capture this without installing the root certificate on your phone first?

    – Luc
    May 17 at 13:15






  • 42





    Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.

    – MechMK1
    May 17 at 13:16











  • @Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.

    – K.Vovk
    May 17 at 13:16












  • @MechMK1 got it. Was in a hurry, sorry.

    – K.Vovk
    May 17 at 13:17






  • 4





    note that you can view the same info with the browser's built-in developer tools.

    – dandavis
    May 17 at 18:10







8




8





But how would anyone capture this without installing the root certificate on your phone first?

– Luc
May 17 at 13:15





But how would anyone capture this without installing the root certificate on your phone first?

– Luc
May 17 at 13:15




42




42





Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.

– MechMK1
May 17 at 13:16





Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.

– MechMK1
May 17 at 13:16













@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.

– K.Vovk
May 17 at 13:16






@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.

– K.Vovk
May 17 at 13:16














@MechMK1 got it. Was in a hurry, sorry.

– K.Vovk
May 17 at 13:17





@MechMK1 got it. Was in a hurry, sorry.

– K.Vovk
May 17 at 13:17




4




4





note that you can view the same info with the browser's built-in developer tools.

– dandavis
May 17 at 18:10





note that you can view the same info with the browser's built-in developer tools.

– dandavis
May 17 at 18:10










2 Answers
2






active

oldest

votes


















47














You seem to fundamentally misunderstand what TLS does.



TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures




  • Confidentiality: An attacker who captures the network traffic can not read the content of the communication.


  • Integrity: If an attacker modifies the network traffic, this would result in errors.


  • Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)

If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.



What does the proxy do now?



If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!



When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.



An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.



So, is this an issue now?



No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.






share|improve this answer























  • One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

    – John Dvorak
    May 17 at 13:50






  • 4





    @JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

    – MechMK1
    May 17 at 13:51






  • 2





    Thank you. I completely understand now.

    – K.Vovk
    May 17 at 13:51






  • 4





    @MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

    – Peter Harmann
    May 17 at 14:21







  • 3





    when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

    – Expired Data
    May 17 at 16:19


















4














How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.



That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.






share|improve this answer


















  • 1





    I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

    – K.Vovk
    May 17 at 13:53






  • 1





    @K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

    – fabspro
    May 17 at 15:32






  • 4





    … and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

    – Jörg W Mittag
    May 17 at 15:43











  • Oooooh, got it. Thank you for your time.

    – K.Vovk
    May 17 at 16:11











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210356%2fif-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









47














You seem to fundamentally misunderstand what TLS does.



TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures




  • Confidentiality: An attacker who captures the network traffic can not read the content of the communication.


  • Integrity: If an attacker modifies the network traffic, this would result in errors.


  • Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)

If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.



What does the proxy do now?



If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!



When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.



An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.



So, is this an issue now?



No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.






share|improve this answer























  • One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

    – John Dvorak
    May 17 at 13:50






  • 4





    @JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

    – MechMK1
    May 17 at 13:51






  • 2





    Thank you. I completely understand now.

    – K.Vovk
    May 17 at 13:51






  • 4





    @MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

    – Peter Harmann
    May 17 at 14:21







  • 3





    when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

    – Expired Data
    May 17 at 16:19















47














You seem to fundamentally misunderstand what TLS does.



TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures




  • Confidentiality: An attacker who captures the network traffic can not read the content of the communication.


  • Integrity: If an attacker modifies the network traffic, this would result in errors.


  • Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)

If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.



What does the proxy do now?



If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!



When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.



An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.



So, is this an issue now?



No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.






share|improve this answer























  • One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

    – John Dvorak
    May 17 at 13:50






  • 4





    @JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

    – MechMK1
    May 17 at 13:51






  • 2





    Thank you. I completely understand now.

    – K.Vovk
    May 17 at 13:51






  • 4





    @MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

    – Peter Harmann
    May 17 at 14:21







  • 3





    when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

    – Expired Data
    May 17 at 16:19













47












47








47







You seem to fundamentally misunderstand what TLS does.



TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures




  • Confidentiality: An attacker who captures the network traffic can not read the content of the communication.


  • Integrity: If an attacker modifies the network traffic, this would result in errors.


  • Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)

If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.



What does the proxy do now?



If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!



When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.



An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.



So, is this an issue now?



No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.






share|improve this answer













You seem to fundamentally misunderstand what TLS does.



TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures




  • Confidentiality: An attacker who captures the network traffic can not read the content of the communication.


  • Integrity: If an attacker modifies the network traffic, this would result in errors.


  • Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)

If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.



What does the proxy do now?



If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!



When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.



An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.



So, is this an issue now?



No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.







share|improve this answer












share|improve this answer



share|improve this answer










answered May 17 at 13:26









MechMK1MechMK1

2,6731629




2,6731629












  • One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

    – John Dvorak
    May 17 at 13:50






  • 4





    @JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

    – MechMK1
    May 17 at 13:51






  • 2





    Thank you. I completely understand now.

    – K.Vovk
    May 17 at 13:51






  • 4





    @MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

    – Peter Harmann
    May 17 at 14:21







  • 3





    when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

    – Expired Data
    May 17 at 16:19

















  • One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

    – John Dvorak
    May 17 at 13:50






  • 4





    @JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

    – MechMK1
    May 17 at 13:51






  • 2





    Thank you. I completely understand now.

    – K.Vovk
    May 17 at 13:51






  • 4





    @MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

    – Peter Harmann
    May 17 at 14:21







  • 3





    when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

    – Expired Data
    May 17 at 16:19
















One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

– John Dvorak
May 17 at 13:50





One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.

– John Dvorak
May 17 at 13:50




4




4





@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

– MechMK1
May 17 at 13:51





@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.

– MechMK1
May 17 at 13:51




2




2





Thank you. I completely understand now.

– K.Vovk
May 17 at 13:51





Thank you. I completely understand now.

– K.Vovk
May 17 at 13:51




4




4





@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

– Peter Harmann
May 17 at 14:21






@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…

– Peter Harmann
May 17 at 14:21





3




3





when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

– Expired Data
May 17 at 16:19





when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL

– Expired Data
May 17 at 16:19













4














How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.



That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.






share|improve this answer


















  • 1





    I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

    – K.Vovk
    May 17 at 13:53






  • 1





    @K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

    – fabspro
    May 17 at 15:32






  • 4





    … and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

    – Jörg W Mittag
    May 17 at 15:43











  • Oooooh, got it. Thank you for your time.

    – K.Vovk
    May 17 at 16:11















4














How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.



That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.






share|improve this answer


















  • 1





    I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

    – K.Vovk
    May 17 at 13:53






  • 1





    @K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

    – fabspro
    May 17 at 15:32






  • 4





    … and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

    – Jörg W Mittag
    May 17 at 15:43











  • Oooooh, got it. Thank you for your time.

    – K.Vovk
    May 17 at 16:11













4












4








4







How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.



That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.






share|improve this answer













How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.



That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.







share|improve this answer












share|improve this answer



share|improve this answer










answered May 17 at 13:25









Esa JokinenEsa Jokinen

4,6261623




4,6261623







  • 1





    I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

    – K.Vovk
    May 17 at 13:53






  • 1





    @K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

    – fabspro
    May 17 at 15:32






  • 4





    … and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

    – Jörg W Mittag
    May 17 at 15:43











  • Oooooh, got it. Thank you for your time.

    – K.Vovk
    May 17 at 16:11












  • 1





    I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

    – K.Vovk
    May 17 at 13:53






  • 1





    @K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

    – fabspro
    May 17 at 15:32






  • 4





    … and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

    – Jörg W Mittag
    May 17 at 15:43











  • Oooooh, got it. Thank you for your time.

    – K.Vovk
    May 17 at 16:11







1




1





I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

– K.Vovk
May 17 at 13:53





I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there

– K.Vovk
May 17 at 13:53




1




1





@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

– fabspro
May 17 at 15:32





@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?

– fabspro
May 17 at 15:32




4




4





… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

– Jörg W Mittag
May 17 at 15:43





… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.

– Jörg W Mittag
May 17 at 15:43













Oooooh, got it. Thank you for your time.

– K.Vovk
May 17 at 16:11





Oooooh, got it. Thank you for your time.

– K.Vovk
May 17 at 16:11










K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.












K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.











K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210356%2fif-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Get product attribute by attribute group code in magento 2get product attribute by product attribute group in magento 2Magento 2 Log Bundle Product Data in List Page?How to get all product attribute of a attribute group of Default attribute set?Magento 2.1 Create a filter in the product grid by new attributeMagento 2 : Get Product Attribute values By GroupMagento 2 How to get all existing values for one attributeMagento 2 get custom attribute of a single product inside a pluginMagento 2.3 How to get all the Multi Source Inventory (MSI) locations collection in custom module?Magento2: how to develop rest API to get new productsGet product attribute by attribute group code ( [attribute_group_code] ) in magento 2

Image
Is it safe to keep the GPU on 100% utilization for a very long time? What happens when the drag force exceeds the weight of an object falling into earth? shebang or not shebang The unknown and unexplained in science fiction Are wands in any sort of book going to be too much like Harry Potter? How do I minimise waste on a flight? Concatenate all values of the same XML element using XPath/XQuery Did any early RISC OS precursor run on the BBC Micro? Single supply non-inverting amplifier using op amp Employee is self-centered and affects the team negatively Why always 4...dxc6 and not 4...bxc6 in the Ruy Lopez Exchange? TikZ/PGF draw algorithm Learning how to read schematics, questions about fractional voltage in schematic How can I test a shell script in a "safe environment" to avoid harm to my computer? A♭ major 9th chord in Bach is unexpectedly dissonant/jazzy What detail can Hubble see on Mars? Drug Testing and Prescribed Medications Justific
Read more

Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

Image
Natural numbersSquare numbersCategories requiring diffusion Help Category:9 (number) From Wikimedia Commons, the free media repository Jump to navigation Jump to search number: 9 (nine) instance of: natural number, deficient number, square number, composite number, odd number, centered cube number, centered octagonal number and nonagonal number other integers: -8 • -4 • -2 • -1 • 0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9 • 10 • 11 • 12 • 13 • 14 • 15 • 16 • 17 • 18 • 19 • 20 • 21 • 22 • 23 • 24 • 25 • 26 • 27 • 28 • 29 -20 • 0 • 10 • 20 • 30 • 40 • 50 • 60 • 70 • 80 • 90 • 100 • 110 • 120 • 130 • 140 • 150 • 160 • 170 • 180 • 190 • 200 This category has become too crowded. It should list very few images directly. Files should be moved to subcategories where appropriate. New subcategories can be created. Some files need to be moved elsewhere. Search for more categories: fulltext, Main Page, topics, meta categories. Please remove or replace this tag
Read more

Magento 2.3: How do i solve this, Not registered handle, on custom form?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlmain.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 : File Upload issue in UI Component FormMagento2 Not registered handleHow to configured Form Builder Js in my custom magento 2.3.0 module?Magento 2.3. How to create image upload field in an admin form

Image
2000s (or earlier) cyberpunk novel: dystopia, mega storm, omnipresent noise How important is it for multiple POVs to run chronologically? PhD: When to quit and move on? Motorcyle Chain needs to be cleaned every time you lube it? Why do most airliners have underwing engines, while business jets have rear-mounted engines? How to supply water to a coastal desert town with no rain and no freshwater aquifers? How come a desk dictionary be abridged? What's the big deal about the Nazgûl losing their horses? Is this standard Japanese employment negotiations, or am I missing something? Should I increase my 401(k) contributions, or increase my mortgage payments Is there a way to change the aspect ratio of a DNG file? Why is there paternal, for fatherly, fraternal, for brotherly, but no similar word for sons? What can a novel do that film and TV cannot? Is conquering your neighbors to fight a greater enemy a valid strategy? /api/sitecore is not working in CD server
Read more