Charles Proxy shows my login password in plain text.

Discussion in 'Site Discussions & Suggestions' started by Voxel, Dec 5, 2015.

  1. Voxel
    OP

    Voxel Fable Junkie

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,208
    5,956
    Jun 27, 2015
    United Kingdom
    England, UK
    It's a sign that the SSL really isn't secure. :/

    Not-secure.PNG

    unsafe.PNG
    It's quite worrying because it may lead to some "malicious intent". Any advice, or ways to fix?
     
  2. tj_cool

    tj_cool Site dev

    Supervisor
    9,993
    -1
    Jan 7, 2009
    Belgium
    This planet
    Well, yeah, you aren't even using the SSL version.
    You have to use https instead of http to use the secure site. We don't automatically redirect people to the secure version (for various reasons).
     
    gamefan5 and Voxel like this.
  3. Voxel
    OP

    Voxel Fable Junkie

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,208
    5,956
    Jun 27, 2015
    United Kingdom
    England, UK
    @tj_cool

    Unfortunately, I can still see it in the https site with SSL proxying, if that can draw any attention.

    still_unsecure.png
     
    Last edited by Voxel, Dec 5, 2015
  4. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,698
    9,568
    Nov 21, 2005
    United Kingdom
    If I am reading this right (by which I mean https://www.charlesproxy.com/documentation/proxying/ssl-proxying/ ) then you have man in the middled yourself and want us to do something about it? If so I do not particularly see the need -- local/user side challenges are a nightmare to implement well and two factor seems a bit overkill (does the facebook login option not allow something like that, or effectively act as such?).
     
    Voxel likes this.
  5. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,559
    8,911
    Oct 27, 2002
    France
    Engine room, learning
    Isn't it a functionality of the proxy to be able to see your data, and not a flow?
    you are using charles' certificate so of course the proxy see your data to be able to re-encrypt it to send to the server.

    the communication is encrypted and nobody can read the content (unless you trust a man-in-the-middle certificate instead of the owner's one), but not what you type. if you want to encrypt your own password to send you would have to type it crypted yourself, or maybe add a javascript function to encrypt it first before sending the GET or POST request and the server would have to decrypt it first before checking it with the database.
    But even encrypted, it would not be enough unless you are using SSL/TLS for that and generate a trusted key for the current connexion. because if you just encrypt it with a salt, someone "in the middle" can use the same encrypted string and the server would decrypt it.

    the full stream is already encrypted, it's up to you to verify who provide the certificate to be sure nobody is reading your content.
     
    Voxel likes this.
  6. Voxel
    OP

    Voxel Fable Junkie

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,208
    5,956
    Jun 27, 2015
    United Kingdom
    England, UK
    @FAST6191
    @Cyan

    Thanks for the info guys. I was just worried because I know some people sometimes do use Charles Proxy to experiment with HTTPS link sniffing. However, I guess I really should uninstall the Charles certificate if I don't want my password to be sniffed. Then again, I have a tendancy to accidentally visit the HTTP version of the temp. :P

    Does anyone know how I can make a bookmarks bar in Firefox?
     
  7. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,559
    8,911
    Oct 27, 2002
    France
    Engine room, learning
    I guess it's called "personal bar".
    right click on a top menu and you should see the possible options to display.

    when you manage the bookmarks, there's a folder named personal bar too.
     
    Voxel likes this.
  8. Voxel
    OP

    Voxel Fable Junkie

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,208
    5,956
    Jun 27, 2015
    United Kingdom
    England, UK
    Ah, I found it now! thanks.