# Charles Proxy shows my login password in plain text.



## Deleted User (Dec 5, 2015)

It's a sign that the SSL really isn't secure. :/








 
It's quite worrying because it may lead to some "malicious intent". Any advice, or ways to fix?


----------



## tj_cool (Dec 5, 2015)

Well, yeah, you aren't even using the SSL version.
You have to use http*s* instead of http to use the secure site. We don't automatically redirect people to the secure version (for various reasons).


----------



## Deleted User (Dec 5, 2015)

@tj_cool

Unfortunately, I can still see it in the https site with SSL proxying, if that can draw any attention.


----------



## FAST6191 (Dec 5, 2015)

If I am reading this right (by which I mean https://www.charlesproxy.com/documentation/proxying/ssl-proxying/ ) then you have man in the middled yourself and want us to do something about it? If so I do not particularly see the need -- local/user side challenges are a nightmare to implement well and two factor seems a bit overkill (does the facebook login option not allow something like that, or effectively act as such?).


----------



## Cyan (Dec 5, 2015)

Isn't it a functionality of the proxy to be able to see your data, and not a flow?
you are using charles' certificate so of course the proxy see your data to be able to re-encrypt it to send to the server.

the communication is encrypted and nobody can read the content (unless you trust a man-in-the-middle certificate instead of the owner's one), but not what you type. if you want to encrypt your own password to send you would have to type it crypted yourself, or maybe add a javascript function to encrypt it first before sending the GET or POST request and the server would have to decrypt it first before checking it with the database.
But even encrypted, it would not be enough unless you are using SSL/TLS for that and generate a trusted key for the current connexion. because if you just encrypt it with a salt, someone "in the middle" can use the same encrypted string and the server would decrypt it.

the full stream is already encrypted, it's up to you to verify who provide the certificate to be sure nobody is reading your content.


----------



## Deleted User (Dec 5, 2015)

@FAST6191 
@Cyan 

Thanks for the info guys. I was just worried because I know some people sometimes do use Charles Proxy to experiment with HTTPS link sniffing. However, I guess I really *should *uninstall the Charles certificate if I don't want my password to be sniffed. Then again, I have a tendancy to accidentally visit the HTTP version of the temp. 

Does anyone know how I can make a bookmarks bar in Firefox?


----------



## Cyan (Dec 5, 2015)

I guess it's called "personal bar".
right click on a top menu and you should see the possible options to display.

when you manage the bookmarks, there's a folder named personal bar too.


----------



## Deleted User (Dec 5, 2015)

Cyan said:


> I guess it's called "personal bar".
> right click on a top menu and you should see the possible options to display.
> 
> when you manage the bookmarks, there's a folder named personal bar too.


Ah, I found it now! thanks.


----------

