0

I have an app which sends a user-email and a password to a server for verification using a post request:

$.post(server_url,{
  email:    user_email,
  password: user_password,
  action:   requested_action_on_server
}, function(result){
  //do stuff
});

The server is an https website, but I'm concerned that this doesn't protect the above user from interception of the request and thus stealing of their password.

Any chance I'm wrong and that the online server being https is sufficient to protect this information?

it Haffens
  • 1
  • 1
  • In short: unless your (unknown) threat is somebody trusted by the client (like a corporate proxy doing SSL interception) HTTPS is sufficient to protect the password __on transit__. The server will of course have the plain password and the client has this too, so there might still be problems at these ends. – Steffen Ullrich Nov 02 '20 at 07:55
  • thanks - so just to confirm I'm understanding correctly - this principle would also apply if I sent the above information from an http website to an https website? – it Haffens Nov 02 '20 at 07:57
  • There is not really a "sending from a website". There might be a script on a HTML page provided by HTTP which triggers the sending, but the sending is done by the browser. Thus the transit of the password between client (browser) and server is still protected. But the transport of the origin HTML page was not protected and thus a MITM attacker might have changed the page so that it does something different - like not sending the password with HTTPS or sending it to a different server instead. – Steffen Ullrich Nov 02 '20 at 10:55
  • perfect - thanks for the very clear comments! – it Haffens Nov 02 '20 at 11:19

0 Answers0