1. Deleted User

    OP Deleted User Newbie

    It's a sign that the SSL really isn't secure. :/

    Not-secure.PNG

    unsafe.PNG
    It's quite worrying because it may lead to some "malicious intent". Any advice, or ways to fix?
     
  2. tj_cool

    tj_cool Site dev
    Supervisor

    Joined:
    Jan 7, 2009
    Messages:
    10,044
    Country:
    Belgium
    Well, yeah, you aren't even using the SSL version.
    You have to use https instead of http to use the secure site. We don't automatically redirect people to the secure version (for various reasons).
     
    gamefan5 and Deleted User like this.
  3. Deleted User

    OP Deleted User Newbie

    @tj_cool

    Unfortunately, I can still see it in the https site with SSL proxying, if that can draw any attention.

    still_unsecure.png
     
    Last edited Dec 5, 2015
  4. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,473
    Country:
    United Kingdom
    If I am reading this right (by which I mean https://www.charlesproxy.com/documentation/proxying/ssl-proxying/ ) then you have man in the middled yourself and want us to do something about it? If so I do not particularly see the need -- local/user side challenges are a nightmare to implement well and two factor seems a bit overkill (does the facebook login option not allow something like that, or effectively act as such?).
     
    Deleted User likes this.
  5. Cyan

    Cyan GBATemp's lurking knight
    Former Staff

    Joined:
    Oct 27, 2002
    Messages:
    23,359
    Country:
    France
    Isn't it a functionality of the proxy to be able to see your data, and not a flow?
    you are using charles' certificate so of course the proxy see your data to be able to re-encrypt it to send to the server.

    the communication is encrypted and nobody can read the content (unless you trust a man-in-the-middle certificate instead of the owner's one), but not what you type. if you want to encrypt your own password to send you would have to type it crypted yourself, or maybe add a javascript function to encrypt it first before sending the GET or POST request and the server would have to decrypt it first before checking it with the database.
    But even encrypted, it would not be enough unless you are using SSL/TLS for that and generate a trusted key for the current connexion. because if you just encrypt it with a salt, someone "in the middle" can use the same encrypted string and the server would decrypt it.

    the full stream is already encrypted, it's up to you to verify who provide the certificate to be sure nobody is reading your content.
     
    Deleted User likes this.
  6. Deleted User

    OP Deleted User Newbie

    @FAST6191
    @Cyan

    Thanks for the info guys. I was just worried because I know some people sometimes do use Charles Proxy to experiment with HTTPS link sniffing. However, I guess I really should uninstall the Charles certificate if I don't want my password to be sniffed. Then again, I have a tendancy to accidentally visit the HTTP version of the temp. :P

    Does anyone know how I can make a bookmarks bar in Firefox?
     
  7. Cyan

    Cyan GBATemp's lurking knight
    Former Staff

    Joined:
    Oct 27, 2002
    Messages:
    23,359
    Country:
    France
    I guess it's called "personal bar".
    right click on a top menu and you should see the possible options to display.

    when you manage the bookmarks, there's a folder named personal bar too.
     
    Deleted User likes this.
  8. Deleted User

    OP Deleted User Newbie

    Ah, I found it now! thanks.
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - password, Charles, Proxy