If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?What is the interest of Reverse Proxy?Anonymous proxy over SSLMan-in-the-middle Blue Coat proxy SSL or what?SSL Communication and ProxyProblems with intermediate SSL certificates and SSL proxyReverse Proxy SSLReverse Proxy SSL containerData exposed through campus proxyIf a computer is connected to a proxy, will all outgoing traffic go through that proxy?SSL Proxy as a man in the middle
Compaq Portable vs IBM 5155 Portable PC
Did 20% of US soldiers in Vietnam use heroin, 95% of whom quit afterwards?
My players want to grind XP but we're using milestone advancement
Why would Ryanair allow me to book this journey through a third party, but not through their own website?
How to ignore kerning of underbrace in math mode
Apt - strange requests to d16r8ew072anqo.cloudfront.net:80
Why do Russians almost not use verbs of possession akin to "have"?
Python program to take in two strings and print the larger string
Why most published works in medical imaging try reducing false positives?
Is it legal to meet with potential future employers in the UK, whilst visiting from the USA
Why does Mjolnir fall down in Age of Ultron but not in Endgame?
Could a 19.25mm revolver actually exist?
Is Jon Snow the last of his House?
Efficient Algorithm for the boundary of a set of tiles
Why does this if-statement combining assignment and an equality check return true?
Remove CiviCRM and Drupal links / banner on profile form
Defining the standard model of PA so that a space alien could understand
Need to read my home electrical meter
Best material to absorb as much light as possible
Find the three digit Prime number P from the given unusual relationships
Which European Languages are not Indo-European?
Does this strict reading of the rules allow both Extra Attack and the Thirsting Blade warlock invocation to be used together?
What is a Power on Reset IC?
Of strange atmospheres - the survivable but unbreathable
If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?
What is the interest of Reverse Proxy?Anonymous proxy over SSLMan-in-the-middle Blue Coat proxy SSL or what?SSL Communication and ProxyProblems with intermediate SSL certificates and SSL proxyReverse Proxy SSLReverse Proxy SSL containerData exposed through campus proxyIf a computer is connected to a proxy, will all outgoing traffic go through that proxy?SSL Proxy as a man in the middle
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
edited May 18 at 21:36
Charles Duffy
30729
asked May 17 at 13:08
K.VovkK.Vovk
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 1 more comment
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
edited May 18 at 21:36
Charles Duffy
30729
asked May 17 at 13:08
K.VovkK.Vovk
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
May 17 at 13:15
42
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
May 17 at 13:16
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
May 17 at 13:16
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
May 17 at 13:17
4
note that you can view the same info with the browser's built-in developer tools.
– dandavis
May 17 at 18:10
|
show 1 more comment
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
edited May 18 at 21:36
Charles Duffy
30729
asked May 17 at 13:08
K.VovkK.Vovk
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
authentication proxy websites
edited May 18 at 21:36
Charles Duffy
30729
asked May 17 at 13:08
K.VovkK.Vovk
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited May 18 at 21:36
Charles Duffy
30729
asked May 17 at 13:08
K.VovkK.Vovk
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited May 18 at 21:36
Charles Duffy
30729
edited May 18 at 21:36
Charles Duffy
30729
edited May 18 at 21:36
Charles Duffy
30729
30729
asked May 17 at 13:08
K.VovkK.Vovk
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked May 17 at 13:08
K.VovkK.Vovk
11314
asked May 17 at 13:08
K.VovkK.Vovk
11314
11314
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
May 17 at 13:15
42
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
May 17 at 13:16
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
May 17 at 13:16
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
May 17 at 13:17
4
note that you can view the same info with the browser's built-in developer tools.
– dandavis
May 17 at 18:10
|
show 1 more comment
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
May 17 at 13:15
42
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
May 17 at 13:16
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
May 17 at 13:16
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
May 17 at 13:17
4
note that you can view the same info with the browser's built-in developer tools.
– dandavis
May 17 at 18:10
8
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
May 17 at 13:15
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
May 17 at 13:15
42
42
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
May 17 at 13:16
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
May 17 at 13:16
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
May 17 at 13:16
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
May 17 at 13:16
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
May 17 at 13:17
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
May 17 at 13:17
4
4
note that you can view the same info with the browser's built-in developer tools.
– dandavis
May 17 at 18:10
note that you can view the same info with the browser's built-in developer tools.
– dandavis
May 17 at 18:10
|
show 1 more comment
2 Answers
2
active
oldest
votes
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
4
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
2
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
3
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
|
show 6 more comments
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210356%2fif-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
4
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
2
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
3
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
|
show 6 more comments
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
4
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
2
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
3
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
|
show 6 more comments
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
answered May 17 at 13:26
MechMK1MechMK1
2,6731629
2,6731629
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
4
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
2
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
3
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
|
show 6 more comments
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
4
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
2
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
3
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
May 17 at 13:50
4
4
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
May 17 at 13:51
2
2
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
Thank you. I completely understand now.
– K.Vovk
May 17 at 13:51
4
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
May 17 at 14:21
3
3
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
May 17 at 16:19
|
show 6 more comments
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
add a comment |
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
add a comment |
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
answered May 17 at 13:25
Esa JokinenEsa Jokinen
4,6261623
4,6261623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
add a comment |
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
1
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
May 17 at 13:53
1
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
May 17 at 15:32
4
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
May 17 at 15:43
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
Oooooh, got it. Thank you for your time.
– K.Vovk
May 17 at 16:11
add a comment |
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210356%2fif-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
May 17 at 13:15
42
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
May 17 at 13:16
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
May 17 at 13:16
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
May 17 at 13:17
4
note that you can view the same info with the browser's built-in developer tools.
– dandavis
May 17 at 18:10