If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?What is the interest of Reverse Proxy?Anonymous proxy over SSLMan-in-the-middle Blue Coat proxy SSL or what?SSL Communication and ProxyProblems with intermediate SSL certificates and SSL proxyReverse Proxy SSLReverse Proxy SSL containerData exposed through campus proxyIf a computer is connected to a proxy, will all outgoing traffic go through that proxy?SSL Proxy as a man in the middle
1950s or earlier book with electrical currents living on Pluto
Gambler's Fallacy Dice
How to use Screen Sharing if I don't know the remote Mac's IP address
Why "strap-on" boosters, and how do other people say it?
What quantum phenomena violate the superposition principle in electromagnetism?
Will this series of events work to drown the Tarrasque?
Is there a way to generate a mapping graph like this?
No Active Recurring Contributions on civi record but stripe has the data. Is there a way to resend IPN?
Is there a realtime, uncut video of Saturn V ignition through tower clear?
How to say "invitation for war"?
Why did Nick Fury not hesitate in blowing up the plane he thought was carrying a nuke?
What does it mean to "take the Cross"
Germany rejected my entry to Schengen countries
Working hours and productivity expectations for game artists and programmers
Is being an extrovert a necessary condition to be a manager?
Simple Arithmetic Puzzle 7. Or is it?
Parse a C++14 integer literal
On a piano, are the effects of holding notes and the sustain pedal the same for a single chord?
What is metrics.roc_curve and metrics.auc measuring when I'm comparing binary data with probability estimates?
Any way to add more GPIOs to the AIY Voice Kit?
Do 'destroy' effects count as damage?
Why was Houston selected as the location for the Manned Spacecraft Center?
Good examples of "two is easy, three is hard" in computational sciences
How to play vs. 1.e4 e5 2.Nf3 Nc6 3.Bc4 d6?
If the Charles SSL Proxy shows me sensitive data, is that data insecure/exposed?
What is the interest of Reverse Proxy?Anonymous proxy over SSLMan-in-the-middle Blue Coat proxy SSL or what?SSL Communication and ProxyProblems with intermediate SSL certificates and SSL proxyReverse Proxy SSLReverse Proxy SSL containerData exposed through campus proxyIf a computer is connected to a proxy, will all outgoing traffic go through that proxy?SSL Proxy as a man in the middle
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
edited 48 mins ago
Charles Duffy
30729
asked yesterday
K.VovkK.Vovk
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 1 more comment
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
edited 48 mins ago
Charles Duffy
30729
asked yesterday
K.VovkK.Vovk
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
yesterday
39
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
yesterday
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
yesterday
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
yesterday
3
note that you can view the same info with the browser's built-in developer tools.
– dandavis
yesterday
|
show 1 more comment
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
edited 48 mins ago
Charles Duffy
30729
asked yesterday
K.VovkK.Vovk
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my country.
I fired up Charles proxy and connected my phone to it and installed Charles's root certificate so I can use https (the site uses it). Anyway, I logged into the site and checked what Charles captured.
It captured a simple ajax call with 4 fields containing all the login credentials. Here's a screenshot:
Everything is even labeled - uporabnik means "user" and geslo means "password"
So if I am understanding this correctly (I am really really just a beginner), everyone that manages to capture this can look at it?
Is this only possible with a proxy or can wireshark for example also do this and just capture packets over wifi?
Are my assumptions true and if they are, what should I do about it?
authentication proxy websites
authentication proxy websites
edited 48 mins ago
Charles Duffy
30729
asked yesterday
K.VovkK.Vovk
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 48 mins ago
Charles Duffy
30729
asked yesterday
K.VovkK.Vovk
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 48 mins ago
Charles Duffy
30729
edited 48 mins ago
Charles Duffy
30729
edited 48 mins ago
Charles Duffy
30729
30729
asked yesterday
K.VovkK.Vovk
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
K.VovkK.Vovk
8814
asked yesterday
K.VovkK.Vovk
8814
8814
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
K.Vovk is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
yesterday
39
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
yesterday
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
yesterday
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
yesterday
3
note that you can view the same info with the browser's built-in developer tools.
– dandavis
yesterday
|
show 1 more comment
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
yesterday
39
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
yesterday
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
yesterday
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
yesterday
3
note that you can view the same info with the browser's built-in developer tools.
– dandavis
yesterday
8
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
yesterday
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
yesterday
39
39
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
yesterday
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
yesterday
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
yesterday
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
yesterday
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
yesterday
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
yesterday
3
3
note that you can view the same info with the browser's built-in developer tools.
– dandavis
yesterday
note that you can view the same info with the browser's built-in developer tools.
– dandavis
yesterday
|
show 1 more comment
2 Answers
2
active
oldest
votes
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered yesterday
MechMK1MechMK1
2,2731626
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
3
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
2
Thank you. I completely understand now.
– K.Vovk
yesterday
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
2
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
|
show 4 more comments
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210356%2fif-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered yesterday
MechMK1MechMK1
2,2731626
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
3
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
2
Thank you. I completely understand now.
– K.Vovk
yesterday
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
2
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
|
show 4 more comments
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered yesterday
MechMK1MechMK1
2,2731626
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
3
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
2
Thank you. I completely understand now.
– K.Vovk
yesterday
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
2
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
|
show 4 more comments
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered yesterday
MechMK1MechMK1
2,2731626
You seem to fundamentally misunderstand what TLS does.
TLS takes the regular plain HTTP traffic and encrypts it and adds integrity checks. Together with the certificate of the server, this ensures
Confidentiality: An attacker who captures the network traffic can not read the content of the communication.
Integrity: If an attacker modifies the network traffic, this would result in errors.
Authenticity: You can be sure that your communication partner is the server you think you communicate with. (We get to this in a second.)
If you were to look at the underlying HTTP communication, you would see your username and password in plain text, because this is what you have sent to the server.
What does the proxy do now?
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
An attacker however would have to make you import their certificate (or steal the private key of yours!) so you would trust certificates by their proxy.
So, is this an issue now?
No, it's not. Everything is working as it's supposed to.
At the end of the day, when you send your username and password to a website, it somehow has to actually reach that website.
answered yesterday
MechMK1MechMK1
2,2731626
answered yesterday
MechMK1MechMK1
2,2731626
answered yesterday
MechMK1MechMK1
2,2731626
answered yesterday
MechMK1MechMK1
2,2731626
2,2731626
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
3
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
2
Thank you. I completely understand now.
– K.Vovk
yesterday
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
2
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
|
show 4 more comments
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
3
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
2
Thank you. I completely understand now.
– K.Vovk
yesterday
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
2
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
One potential issue might be if the attacker learns you are using an HTTPS proxy on their machine, and uses their own instance of the proxy to craft a certificate your machine will accept.
– John Dvorak
yesterday
3
3
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
@JohnDvorak Certificates are unique per installation. If I use a proxy, that does not make me vulnerable to other people using the same proxy, as their keys will differ from mine.
– MechMK1
yesterday
2
2
Thank you. I completely understand now.
– K.Vovk
yesterday
Thank you. I completely understand now.
– K.Vovk
yesterday
4
4
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
@MechMK1 Well, at least they should be unique per installation. Of course people managed to mess even this simple thing up, so be careful about what certificates you import. arstechnica.com/information-technology/2015/02/…
– Peter Harmann
yesterday
2
2
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
when you send your username and password to a website, it somehow has to actually reach that website. unless you use an authentication scheme like SQRL
– Expired Data
yesterday
|
show 4 more comments
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
add a comment |
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
add a comment |
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
How do you think most web sites handles login? By sending usernames and passwords in POST data and recognizing the logged in user with session cookies afterwards. There's no reason for hashing the credentials client side, and even less to obfuscate the variable names: it would be equally easy to figure out that uporabnik or ugcbuzsq is a variable that carries usernames.
That's why the connection is encrypted using TLS, and that's also why you weren't able to see this information before you installed the Charles proxy's root certificate.
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
answered yesterday
Esa JokinenEsa Jokinen
4,6061623
4,6061623
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
add a comment |
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
1
1
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
I see. TLS takes care of security so even if I can see the password, others cannot as that would require deeper access in my phone. Thats why the certificate is there
– K.Vovk
yesterday
1
1
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
@K.Vovk no, that is not why the certificate is there. The certificate allows you to identify whether you are connecting to the server you think you are. For example, if you access www.google.com, your browser will open an encrypted connection to google, but how do you know it is really google and not just a hacker that's impersonating them?
– fabspro
yesterday
4
4
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
… and that is precisely why you had to install Charles's certificate in the first place to make HTTPS work again. Because Charles is nothing but a man-in-the-middle-attacker in this scenario, and if you didn't install its root certificate, you would get a security warning in your browser, and it would not send the data without warning you.
– Jörg W Mittag
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
Oooooh, got it. Thank you for your time.
– K.Vovk
yesterday
add a comment |
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
K.Vovk is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210356%2fif-the-charles-ssl-proxy-shows-me-sensitive-data-is-that-data-insecure-exposed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
8
But how would anyone capture this without installing the root certificate on your phone first?
– Luc
yesterday
39
Protip: If you censor an url, do it right. It's pretty easy to deduct what the URL is.
– MechMK1
yesterday
@Luc Oh, I see what you mean. Im really gonna have to look into how Charles works. Haven't tought about it that way. I guess it is safe then.
– K.Vovk
yesterday
@MechMK1 got it. Was in a hurry, sorry.
– K.Vovk
yesterday
3
note that you can view the same info with the browser's built-in developer tools.
– dandavis
yesterday