Why is HTTP data sent in clear text over password-protected Wifi?

Question

In my home I have a router protected with WPA2-PSK (WPA2 Personal), using the passphrase.

When I try to log in to a page over the Internet (this page does not use HTTPS to log me in), all my data is sent in clear text (since I can see the password I typed in Wireshark).

Why is that? I mean, my WiFi is protected, so all the communication should be encrypted, right?

Are you running Wireshark on the same computer you're using to log in? — A. Darwin, Oct 01 '16 at 09:39
Also note that tools wire shark will install its own cert and MITM itself to introspect SSL traffic. This is important when...ahem debugging SSL traffic — Mike McMahon, Oct 01 '16 at 20:48
you are confusing layers. your http client knows nothing about wifi and wpa. — njzk2, Oct 02 '16 at 01:27
Also: just because your password is encrypted on your wifi network does **not** mean that it is encrypted on the rest of the path to that server... So it doesn't matter what encryption your wifi uses: a webpage served on HTTP and asking for a password is **always** receiving the credentials in plaintext and anyone along the path to the server can read them. So: if you really have to log into that webpage choose a random username and password and change password often. Do not insert sensitive/personal data on that site. — Bakuriu, Oct 02 '16 at 07:14
I have a locked mailbox, but my roommate can see the letters when they're on my kitchen bench. Why are my letters sent unlocked through a locked mailbox? — user253751, Oct 02 '16 at 20:57
@immibis Perhaps more like "How are people reading my postcards when I walk them out to the postbox in a locked briefcase?" — Michael, Oct 03 '16 at 20:57
@Michael With Wireshark in this scenario, the snooper is at the sending/receiving end, not in the middle of the path. — user253751, Oct 03 '16 at 21:23
@immibis You are right, but I think the internet at large is at least as much a concern as the other people on his computer. ;-) — Michael, Oct 03 '16 at 21:26
One thing to keep in mind is that everyone who knows the WPA2 password can see this clear text even though the network is allegedly encrypted. See more here: https://github.com/d33tah/call-for-wpa3 — d33tah, Oct 04 '16 at 02:50

Lightness Races in Orbit · Accepted Answer · 2016-10-03T23:32:06.307

162

I mean, my WiFi is protected, so all the communication should be encrypted, right?

It is, but not at the place you're reading it. Encryption happens at a certain point in the "pipeline", and decryption then must also happen at a certain point in the "pipeline" (otherwise the data are useless). You are observing the data after they have been decrypted, which would not be possible if you were using HTTPS (which instead provides end-to-end encryption, which starts at the server and ends at the browser).

If you attempted to use Wireshark to capture the contents of an HTTPS transaction, it'd be like this:

+--------+ (encrypted) +----------+ (encrypted) +--------+
| Server | ----------->| Internet |------------>| Router |
+--------+             +----------+             +--------+
                                                     |
                                                     | (encrypted)
                                  +------------------+---+
                                  | Your PC          |   |
                                  | +-----------+ (e)|   |
                                  | | Browser   |<---+   |
                                  | +-----------+    |   |
                                  | +-----------+ (e)|   |
                                  | | Wireshark |<---/   |
                                  | +-----------+        |
                                  +----------------------+

Here, your browser knows how to decrypt the data, because it "owns" the HTTPS transaction in the first place; your Wireshark instance (which, per the very purpose of end-to-end encryption, is treated just like any other snooper in this scenario) does not.

But your wireless encryption starts at the router and ends at the PC's network card, so the result for you is more like this:

+--------+ (plaintext) +----------+ (plaintext) +--------+
| Server | ----------->| Internet |------------>| Router |
+--------+             +----------+             +--------+
                                                     |
                                                     | (encrypted)
                                  +------------------+---+
                                  | Your PC          |   |
                                  | +-----------+ (p)|   |
                                  | | Browser   |<---+   |
                                  | +-----------+    |   |
                                  | +-----------+ (p)|   |
                                  | | Wireshark |<---/   |
                                  | +-----------+        |
                                  +----------------------+

Here, anything on your PC can read the data, because they were decrypted by your network card. Otherwise, what application would decrypt the data? Nothing would work.

There is almost no relationship between HTTPS and WPA2-PSK; they do completely different jobs.

edited Oct 03 '16 at 23:32

answered Oct 01 '16 at 15:09

Lightness Races in Orbit

2,173
2
14
15

122

Your ASCII diagrams are awesome. – VL-80 Oct 02 '16 at 00:12
66

@VL-80 http://asciiflow.com/ – gronostaj Oct 02 '16 at 11:55
9

@gronostaj That + [ditaa](http://ditaa.sourceforge.net/) must be interesting... – Kroltan Oct 02 '16 at 12:30
20

@gronostaj: Oops, knew about that but did it by hand anyway lol – Lightness Races in Orbit Oct 02 '16 at 13:29
4

Minor nitpick: "You are observing the data after they have been decrypted", isn't he viewing it *before* it's been encrypted? While it's still "in" the PC. – Elva Oct 03 '16 at 14:47
4

@KevinvanderVelden: Well I suppose that depends on whether he's viewing the request or the response :) – Lightness Races in Orbit Oct 03 '16 at 14:50
@LightnessRacesinOrbit hah true, touche. – Elva Oct 03 '16 at 14:51
2

"by design, like any arbitrary snooper, your Wireshark instance does not." I would suggest rewording this a bit to make it more clear that it's by TLS's design, rather than Wiresharks. (Since this answer targets an audience with very little knowledge of networking, this may not be clear to them.) – jpmc26 Oct 03 '16 at 22:31
@jpmc26: Yeah, good idea. – Lightness Races in Orbit Oct 03 '16 at 23:32
1

@IvanKolmychek: Thanks, but "data" is the plural of "datum" (though I accept that this correct usage is in decline!) – Lightness Races in Orbit Oct 06 '16 at 08:59
@LightnessRacesinOrbit I've never before seen the "data" being used as plural to be honest, and even you accept that its "usage is in decline", so why wouldn't we use the more widespread version? I'm pretty sure it's only a matter of time that someone else will suggest the same edit. :) – Ivan Kolmychek Oct 06 '16 at 10:38
@IvanKolmychek: If you read a couple of scientific papers you'll see it all over the place. I prefer to write correct English over "street English", when performing technical writing. People are free to keep suggesting the edits... I shall keep rejecting them. :) – Lightness Races in Orbit Oct 06 '16 at 10:56
@LightnessRacesinOrbit ok. Still, I would argue that post on security.SO is not a scientific paper, but never mind. :) – Ivan Kolmychek Oct 06 '16 at 10:57
1

@IvanKolmychek: Users of security.SE are technical professionals and should well understand the correct use of "data"; I would even expect a majority to use it themselves. – Lightness Races in Orbit Oct 06 '16 at 11:24
@LightnessRacesinOrbit OK, you're probably right. Have +1 on that comment then from me, so may be more visible. :) – Ivan Kolmychek Oct 06 '16 at 13:04
It's worth noting that in the first image the content is encrypted twice between the router and the PC (right?) – SWdV Feb 27 '17 at 16:54
@SWdV: Hmm Is it? – Lightness Races in Orbit Feb 27 '17 at 23:17
@LightnessRacesinOrbit Probably: I don't think the router (and the PC) distinguish between TLS and other traffic – SWdV Feb 28 '17 at 09:04

Adam Lindsay · Answer 2 · 2016-10-02T07:07:06.443

40

Using a router with WPA2-PSK (or any other network encryption algorithm), does not mean all sites are forced to use https. It means that that the unencrypted traffic is not visible to those who are not connected to the network.

Consider HTTPS as a relationship between your browser and the website.

Consider WPA2-PSK as the relationship between your device and your access point.

edited Oct 02 '16 at 07:07

answered Oct 01 '16 at 09:42

Adam Lindsay

669
4
7

22

WPA2-PSK is NOT a relationship between your device and your router. It is a relationship between your device and your wireless access point. That the wireless AP is often bundled into the same box as the router (and the network switch) doesn't mean they're the same thing. So in the case proposed, the over-the-air traffic is indeed encrypted, but it is decrypted in the access point before reaching the switch or router. Even you have an all-in-one device, the AP is connected to a switch, the the router is also connected to the switch. All of the traffic traversing the switch is unencrypted. – Craig Tullis Oct 02 '16 at 07:03

A. Darwin · Answer 3 · 2016-10-01T11:20:35.277

When you run Wireshark on a computer, you're capturing the traffic that the computer can "see".

If you run Wireshark while browsing HTTP websites, the computer "sees" data in clear text, because the Wi-Fi encryption occurs at the router/access point level, which is known as "link layer".

If, on the other hand, you run Wireshark while browsing HTTPS websites, Wireshark "sees" encrypted data, even if you're not using Wi-Fi encryption, because HTTPS encryption (SSL/TLS) occurs at the browser level or, more precisely, at the "application layer".

Think this way.

An access point allows several devices to connect to the Internet. Without any kind of encryption, any device (whether inside or outside the wireless network) would be able to "see" traffic in clear text from and to any device connected to the network. Wi-Fi encryption prevents devices outside the network from seeing your traffic (that's what the passphrase is used for) and prevents devices inside the network from spying on each other (simplifying a bit, data are encrypted with different keys for each device). Therefore, if Alice and Bob are connected to the access point AP, not only Eve (who is outside the network) cannot see the traffic related to Alice and Bob, but Bob cannot see what Alice is doing, and viceversa.

However, the owner of the Wi-Fi network can easily see what Alice and Bob are doing.

The analogy

Think about encryption (for the moment) as a series of tubes, and about data as letters sent through those tubes.

The wireless network is a huge room where you can read, write, and transmit messages, since it also includes a post office (access point).

The post office allows your letters to be sent to somebody using another box, perhaps on the other part of the world. It does so by checking the address written on the letter and sending to it.

If Wi-Fi encryption is used, the room is locked and every user has a distinct tube, through which he can send and receive messages.

The Internet is everything which is outside of the huge room. Alice and Bob are inside the room, Eve is outside of it.

Disclaimer: for the sake of brevity, talk=write and read in this context

1) If the room wasn't locked, without tubes, and you were sending clear text postcards (no Wi-Fi encryption, no HTTPS), you would have a working post office (correctly sending and receiving letters), but a very insecure one. Alice could grab the letters sent by Bob, and viceversa. In addition, anyone could enter the post office and grab any letter. In other words, it would be a huge mess.

2) Wi-Fi encryption, no HTTPS corresponds to a locked room using one tube per person, so that Alice cannot grab the letters sent or received by Bob. Clearly, Eve who's not even in the room, can't see anything. However, those letters are clear text postcards, meaning that the content is not encrypted. This means that the post office can see everything you send and receive.

Now, you may not like this. Why should the post office be able to read your messages if they only need to dispatch them? You then agree with the people you're communicating with, and decide to write coded or encrypted postcards. For example, HI MIKE would become FJSDJHDNFSJ.

This way, the post office cannot understand what you and your friends are talking about.

3) A system involving encrypted cards and an unlocked room with no distinct tubes is similar to no Wi-Fi encryption, but HTTPS. So the post office doesn't know what you're writing and reading, and Eve (who is outside of the locked room, but can see your letters as they exit the room) can collect or copy your messages but cannot understand them. Everything is fine, right? Well, no. Bob, Eve, and other people (both inside and outside of the network) can still see who you're talking to.

4) If the system involves a locked room with distinct tubes and encrypted postcards, it's similar to Wi-Fi encryption + HTTPS, which is pretty nice. No one knows what you're talking about, and only the post office knows who you're talking to.

TL;DR. HTTP on password-protected Wi-Fi allows you and the access point owner to read your traffic, even if other people on the same network can't.

HTTPS on password-protected Wi-Fi means that only you can read your traffic, and only the access point owner knows which websites you're visiting.

As an aside, if you don't want the AP owner to know which websites you're visiting, you should use other solutions, including VPNs and Tor.

HTTP on password-protected Wi-Fi allows you and **everyone connected to the same Wi-Fi** to read your traffic, if the Wi-Fi uses PSK (you connect using just a password) — Josef, Oct 03 '16 at 07:04
@Josef I may be wrong, but I think that sniffing other people's traffic, if the Wi-Fi uses PSK, is only possible if you manage to capture the initial handshake. If this is correct, I chose not to mention it, in order to simplify a bit the answer. However, I could edit it, if you feel this is an important remark. — A. Darwin, Oct 03 '16 at 11:08
You can always force a reassociation and the client will create a new handshake. So in practice, every Wi-Fi with a PSK can be sniffed. https://security.stackexchange.com/a/8593/37864 has more details — Josef, Oct 03 '16 at 12:00
Also, many AP's will prevent wireless devices from seeing each other by default (configurable, so you *could* let wireless devices see each other). However, any wired devices on the same network could potentially see the wireless devices' traffic, and that traffic would be in the clear, unencrypted. — Craig Tullis, Oct 03 '16 at 17:54

kaidentity · Answer 4 · 2016-10-02T07:30:47.857

That your wifi is WPA2 protected just means that the signals sent over the air from your computer to the router are encrypted, nothing else. From there onwards (from the router to the next hop of your ISP and then eventually to the web server serving your request) the traffic is unencrypted.
https, however, provides end-to-end encryption. One end is your browser (on your side), the other end is the web server serving the request. End-to-end means that no entity between those 2 ends can see the plain text. Check an arbitrary https website and you'll see: Wireshark can't see anything because wireshark listens on the network interface and that only gets the data after the browser has already encrypted it. On the other hand, WPA2 is not end-to-end. The network device handles encryption (and Wireshark intercepts the data before the device does so). That is why you can see clear text data.
An important point to make here is that what you can do on your computer everyone else can do on every internet router that gets the data in between your wifi router and the web server. Therefore, consider WPA2 as a means to protect the privacy of the sent-over-the air part of your home network. If you want confidentiality of communication that goes over the internet, end-to-end encryption protocols (like https) are the method of choice.

This is the best answer here, because it is the most accurate. Even so, WPA only protects the wireless segment of your home network. — Craig Tullis, Oct 02 '16 at 07:04

score 2 · Answer 5 · answered Oct 02 '16 at 07:38

There are a lot ideas rolling around here, with varying degrees of inaccuracy.

WPAx encrypts traffic over-the-air, between your device and your wireless access point (AP), and nowhere else (including the router).

Even if you have just one device that you call a "router" or a "modem" you actually (typically) have 4 devices. They are all just built into the same box for convenience and to make network configuration easier for home users. On my own network(s), literally all of these are physically separate devices.

You have:

A modem: typically cable or DSL, which bridges Ethernet packets from your home network onto the internet
A router: this routes packets between different networks and generally has firewall features for security
An Ethernet switch: everything connected to a switch is on the same local area network (LAN)
A wireless access point (AP): this is what your wireless devices connect to

WPAx only encrypts packets between your devices and the AP.

The AP decrypts the packets, transforms them into regular old Ethernet packets and forwards them to the switch. Anything else plugged into that switch could potentially read your packets in plain text.

Your router is also connected to the switch, and the modem is connected either to the router or to the switch.

The traffic path looks like this:

[device ----- AP] ---- switch ---- router ---- modem -> Internet
      WPAx              |
                        |
               computer, printer?

WPAx is a wireless-only security protocol. It's part of the path between your devices and your access point. If you have a computer plugged into your switch with a cable, that computer could see your "wireless" traffic unencrypted, and likewise any packets that go out to the Internet through your router and modem are also unencrypted.

i486 · Answer 6 · 2016-10-03T08:20:46.590

WPA2-PSK encryption is to protect wireless radio emission between PC wireless card and Wifi router. The payload (data) transferred between PC client (i.e. web browser) and remote server can be encrypted (SSL,etc.) or not - this is another layer. Without WPA2-PSK anybody in near range (~50 meters) can spy all your traffic. For simple comparison imagine that Wifi with WPA2-PSK is enthernet cable going inside your house where external people don't have access and without WPA2-PSK the same cable is going through public place (street, roof, etc.)

score 0 · Answer 7 · answered Oct 04 '16 at 15:39

Although there is a thing called "Internet Protocol", there is no single protocol that makes up the Internet. Rather, the Internet is made up of many different protocols, several of which are used together at any one time to form what's called a stack.

The lowest layer in the stack is called the link layer, and it handles the question of how to get a signal between two machines that are directly connected somehow. Ethernet is an example of a link-layer protocol. So is Wi-Fi, and so is PPP (used most famously by modems, but DSL and cell phones also use it behind the scenes).

The next layer is called the Internet layer, and it handles the question of how to get a signal between two machines that aren't directly connected, using a series of machines which are. IP (the "Internet Protocol" I mentioned above) lives here. Note that the link layer doesn't have to know or care how the machines are connected: it is theoretically possible that your data might go through Wi-Fi, Ethernet, PPP, and more exotic kinds of links on the way to its destination, and it won't make any difference.

Above this is the transport layer, which takes the signal and turns it into meaningful data of some kind. TCP, which collects these signals and turns them into longer-lasting "connections" lives here. So does UDP, which is less concerned about connections and just blasts bits of data back and forth. as do a number of other things.

Last comes the application layer, where the data from the transport layer is interpreted for particular purposes. HTTP lives here, as do various messaging protocols, most game protocols, and most of the other things we tend to think of when we think of the Internet.

The reason all of the above this is important is that encrypting Web traffic only affects the layers at or below the layer where the encryption happens. WPA protects Wi-Fi, which is a link-layer protocol: The traffic is indeed encrypted, but only between the two machines that are directly connected, because that's how link-layer protocols work. Wireshark sees the cleartext because by the time the traffic ever gets to it, it has already been decrypted.

To make Wireshark unable to sniff the contents of a connection, you have to encrypt it in a higher layer than Wireshark works at, so that it hasn't been decrypted by the time Wireshark sees it. This is what SSL/TLS is for. It works in the application layer (though it acts like another transport layer, thus the name "Transport Layer Security"), so if you run Wireshark on it, it will see encrypted text. There actually are ways to get Wireshark around this, but they involve fundamentally altering the connection so that Wireshark can act as a man-in-the-middle. It's not something you can do unless you already know the encryption keys the connection will use.

Why is HTTP data sent in clear text over password-protected Wifi?

7 Answers7