0

Iimplemented a REST server to enable JWT Authentication with support to TLS (with a certificate self-signed).

When I send the credentials to my REST server with a plugin of firefox (RESTClient) and view HTTP Headers with another plugin (Live HTTP Headers), I see the credentials in plaintext. What am I wrong ? With SSL enabled, why I see the credentials in plaintext and not encrypted ? Request with RESTClientAnalisys with Live HTTP Headers

CipherX
  • 190
  • 1
  • 8
  • The browser extension is reading the data before it's encrypted - try using a proxy which isn't part of the browser to see encrypted data. – Matthew Nov 22 '16 at 11:34
  • Thanks @Matthew, can you link me a tutorial ? – CipherX Nov 22 '16 at 11:36
  • @CipherX If you want to see how your data looks when leaving your computer try sniffing software such as Wireshark (https://www.wireshark.org/). There you can see how exactly does the data look when it's sent by your NIC. If you've never done this before Google some tutorial on how to sniff HTTP/S traffic with Wireshark, there should be plenty of those. – user1164108 Nov 22 '16 at 14:15

1 Answers1

3

Data will be encrypted while transmitted over the internet, not on either sender or receiver. So in other words:

sender (not-encrypted data) -> transmission (encrypted data) -> receiver (not encrypted data)

If you want your data to be protected even when received at the receiver side, then you will need to apply some encryption scheme before sending them over TLS. Also consider using digest authentication and not plaintext.

jedidog
  • 304
  • 1
  • 5
  • Ok but if there is a malicious user on my network and he sniffs the traffic, can he recover these credentials ? – CipherX Nov 22 '16 at 10:20
  • 1
    No a malicious user cannot sniff the traffic and obtain the username or password. Unless the attacker takes control of the receiver, in which case he can do anything. But with respect to encryption and TLS, no an attacker cannot sniff your data. You can also try it out using wireshark or any other equivalent software – jedidog Nov 22 '16 at 10:25