Can we get that info the same way we do for FTP since HTTP is a plain text protocol?
Asked
Active
Viewed 387 times
1 Answers
4
If the client passes the user credentials as plain text then yes, it will be possible to see them in the http packets.
user9517
- 115,471
- 20
- 215
- 297
-
Hi @Iain, thanks for your reply, what do you mean the client passing the user credential as plain text? isn't HTTP a plain text protocol? Can a web developer use techniques to encrypt the password using HTTP? Thanks in advance :) – Yoane Maior May 13 '19 at 11:38
-
Not every web authentication method will send the passwords in plain text. Basic authentication and many login forms will send the password in plain text and should be using a secure channel like HTTPS to ensure transport security, but for instance something like Kerberos and the now mostly obsolete [RFC 2617](https://tools.ietf.org/html/rfc2617) "digest authentication" *could* be used instead and those won't show clear text passwords. – HBruijn May 13 '19 at 11:51
-
@HBruijn Basic auth uses base64 to obfuscate the user:pass doesn't it ? Yoane, plain text means the stream is not encrypted. – user9517 May 13 '19 at 11:56
-
1@Iain AFAIK yes, with basic authentication passwords will be base64 encoded but that is both such a trivial form of obfuscation as well as a standard defined in the HTTP protocol. As such it is possibly even more obvious than clear text in a capture and with the http display filter wireshark will automatically recognize and display the decoded clear text [`http.authbasic`](https://www.wireshark.org/docs/dfref/h/http.html) credentials even more easily than looking for "password" fields in login forms. – HBruijn May 13 '19 at 12:25