Password is in clear text after imlementing SSL

Question

I implemented SSL on my web application, and it appears the password is still being sent in plain text.

Below is my code through which I am getting login.

MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider();
byte[] hashedDataBytes;
UTF8Encoding encoder = new UTF8Encoding();
hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(txtPassword.Text));

SqlCommand com11 = new SqlCommand("For_Login", con);
com11.CommandType = CommandType.StoredProcedure;
com11.Parameters.AddWithValue("@User_Id", ddl.SelectedItem.Text);
com11.Parameters.AddWithValue("@Password", hashedDataBytes);
SqlDataAdapter sda = new SqlDataAdapter(com11);
DataTable dtcheck = new DataTable();
sda.Fill(dtcheck);
if (dtcheck.Rows.Count > 0)
{
    // logged in
}

But when I run the application on server n start fiddler, it shows password in clear text. See the image below:

enter image description here

Why this is happening? What to do?

how it can make a difference. If some one wants to test it by disabling ssl decryption then what to do? — Gaurav, Aug 21 '14 at 09:52
It makes all the difference. If SSL decryption is enabled, then fiddler acts as a MITM and decrypts the encrypted traffic. What is your understanding of SSL btw? — Mat J, Aug 21 '14 at 09:54
How can we protect the password that no one can see using this tool like fiddler? — Gaurav, Aug 21 '14 at 10:00
@Gaurav, when using Fiddler like this, you've also allowed your browser to trust its certificate. Your password is protected, but you've allowed the MITM "attack" to happen, hence Fiddler can see it. Simply don't trust the Fiddler cert if you don't want this to happen. — Bruno, Aug 21 '14 at 17:16
@Gaurav if it is the password for the purposes of login, i would suggest only sending the sha2 hash on the wire. If this is data for something else, implement symmetric/asymmetric encryption and the cert pinning. — zaitsman, Jan 02 '15 at 08:52

Password is in clear text after imlementing SSL

0 Answers0