0

My understand, the website's data with https protocol will be encrypted when transfered between browser and server. When is it encrypted?

In login form, I use the Telerik Fiddler Web Debuger to capture the request, I still see the plaintext password. Another question, IT admin with sniff traffic tool or proxy can capture HTTPS request and see the sensitive value, doesn't he?

So when will the data be encrypted?

Rango
  • 1,954
  • 4
  • 14
  • 14

1 Answers1

1

That's an interesting question. The browser's network library will encrypt the data when sending a request via HTTPS. When request sent via HTTPS the client (browser) will perform TLS handshake to negotiate encryption details and then sends the data encrypted. I am assuming that the plaintext password you are seeing is in the Fiddler's browser plugin and not in the proxy application. You can always see the network request information/payload including clear password in the network tab of the browser while inspecting that specific request. You would not be able to see the request's data in plain text in the proxy interceptor as well as a sniffer app like wireshark when sent over HTTPS. As you can see from the Telerik Fidler's video they are only showing HTTP requests.

You can definitely setup a proxy (man in the middle proxy) that will be able to inspect SSL traffic. This is done in a lot of corporate networks. For that you would setup a forward proxy with SSL certificate that is trusted by the browser which will then allow the proxy to decrypt the HTTPS request that is coming from the browser and inspect it.

When data sent over HTTP the data can be sniffed and the person can see the request info and the payload. That is the reason a person should always send sensitive data over TLS connection

UPDATE:

This diagrams shows the client to server connectivity via HTTPS.. The form data is always encrypted before it's send over the internet

enter image description here

This image is from SonicWall SSL Control

Yan
  • 3,533
  • 4
  • 24
  • 45
  • @ Yan, "You can definitely setup a proxy (man in the middle proxy) that will be able to inspect SSL traffic. This is done in a lot of corporate networks. For that you would setup a forward proxy with SSL certificate that is trusted by the browser which will then allow the proxy to decrypt the HTTPS request that is coming from the browser and inspect it." => So the Login Form must send the password in non-clear-text? – Rango Jan 08 '21 at 01:58
  • @Rango The HTTPS request (headers and payload) is always encrypted before it is being sent over the internet. Added an update to the answer. The same flow happens when browser makes a HTTPS request while submitting a form. – Yan Jan 08 '21 at 04:44
  • Thanks for your details. I understand that browser will be encrypted HTTPS request before sending to Web Server. So anyone, any tool can not capture and decrypt the request data. I have a confusion. I do the following: > Install Progress Telerik Fiddler Web Debugger tool from https://www.telerik.com/download/fiddler (not browser inspect extension). > Open the tool after installed. > Open the browser, access to google sign in page. > Input the account, click Next. > Go back to the Progress Telerik Fiddler Web Debugger tool, inspect the google request. > I can see the plain data. – Rango Jan 11 '21 at 09:10
  • So my question, IT administrator can setup the same tool on the company network, and he can inspect the request. – Rango Jan 11 '21 at 09:20
  • When you set up Fiddler did you click on accept Fiddler root certificate? Is this tutorial more or less what you did to setup fiddler? https://www.codementor.io/@aydindev/introduction-to-using-fiddler-for-debug-http-s-requests-djf60hjsf – Yan Jan 11 '21 at 21:38
  • Yes, I configured Fiddler to decrypt the HTTPS traffic. – Rango Jan 12 '21 at 02:15
  • That explains it. If you accepted the root certificate in your browser then fiddler became the forward proxy decrypting your https traffic then re-encrypting it and forward it to its destination. Fiddler then is able to inspect the traffic and see passwords in plain text. This is done by many corporations to monitor network traffic – Yan Jan 12 '21 at 02:25