0

Consider we run the following request:

import requests
url="https://secretsub.example.com/secretpath/post.php" 
payload = {'secretmessage1' : 'foo','secretmessage2' : 'bar'}
r = requests.post(url,data=payload,verify=True)

The language (python) is just arbitrary but it can be a request on any other language (NodeJs, Java, Php...)

Notice that the url is using https, which means that the connection is secured over SSL. Assuming that I compile this program into binary (.exe), would it be possible for computer to read the payloads through a software in plain text?

I know that packet sniffing software (like WireShark), will only reveal the domain name (example.com) in plain text but not the secrepath nor the payload which will be encrypted.

If I run this code in a web browser however (assuming that it is written in Javascript), I will be able to access the payload and the secretpath in plain text inside the browser console. I assume that the browser only encrypts it only after the request is logged in its console. But if this code is run outside the browser, is there a way a for the computer host to intercept those data in plain text? (some sort of packet sniffing tools)

TSR
  • 185
  • 2
  • 5

3 Answers3

1

Generally, you are using the TLS protocol, and thus initiating a handshake with the server, agreeing upon such as cipher suites and keys to use. This is a secure protocol, as long as you can trust who you are communicating with (e.g. certificate validation).

You ask whether the host computer could intercept something. After the encryption has taken place, I'd say no.

On a side note, the host computer is performing the encryption in an allocated area of memory. If the host is compromised to the extent that you cannot trust the memory protection of that machine, or generally the context of the process, the plaintext can be retrieved prior to encryption. But it's impossible to have zero risk, so this is not necessary something that you need to consider.

BenM
  • 61
  • 1
  • 1
  • 9
0

In the current example if you compile the code you could run strings on the binary and see the secret payload as it is not encrypted in the binary.

Joe M
  • 2,997
  • 1
  • 6
  • 13
0

Assuming that I compile this program into binary (.exe), would it be possible for computer to read the payloads through a software in plain text?

Yes.

In most cases (but not all) the program will not incorporate the SSL functionality in itself but use a library linked at runtime - a .dll on MSWindow, a .so on Linux. It would be relatively trivial to inject and abstraction layer on top of the library to capture the data in/out.

You could compile the program with static linking (but it wouldn't be very portable and wouldn't take advantage of the OS patching to remain secure). But it would still be possible to attach a debugger to the process to see the clear text.

Then there's the problem that someone with control over the computer can simply redirect the traffic to a server they control using a fake certificate - you could mitigate this by implementing your own certificate pinning within the application, but then you've you've just the problem elsewhere - to protecting the certificate hash - and you are now maintaining your own complete SSL stack independently.

But if the text is static in the binary and doesn't use some elaborate obfuscation (which is security by obscurity) then you don't need to go to all that effort - just decompile it or use 'strings'.

If you are specifically asking about malware running on the client, then you probably only need to worry about the shared lib issue.

symcbean
  • 18,278
  • 39
  • 73