Postback for Passwords in Cleartext?

Question

I've just started working on an aspx web from login page for AspNet.Identity. I have my fields, username and password (textmode="Password") and a submit button (asp:button) as usual with my code behind to do login, etc.

My question is, when my user clicks submit, how is the password sent to the server? Do I need to be on SSL to ensure that the password isn't sent in cleartext?

Edit StackOverflow's login page isn't over HTTPS - how do they (and other sites that don't use HTTPS) manage password transmission?

Answer 1

Depending on the form method GET or POST values are sent to the server.

By default in asp.net the form method is POST so it is send in the body of the request.

If the form method is GET then it sent in the url.

Edit 1

When you use HTTPS the channel is secured. But some time it can be slower than HTTP because HTTPS requires an initial handshake which can be very slow.

Some useful links
Difference between http and https
HTTP vs HTTPS performance

Answer 2

One can say that all data submitted from the browser is sent in cleartext (that is, neither browser itself encrypt it, nor when data arrives to your server-side script it requires decryption). All the encryption (if any) is performed at the protocol level.

Plain HTTP doesn't encrypt any information sent over it, which allows for simple inspection (man-in-the-middle attack, eavesdropping). On the other hand, HTTPS creates a secure channel over an otherwise insecure network and protects from said attacks reasonably well.

One caveat to that is using GET to send data to the server. This information can easily end up in server logs.

Answer 3

Main problem is that if anyone is able to listen to the traffic from your client to your server, then they will also be able to manipulate what your server sends to client. This issue invalidates all attempts to do some javascript magic to hide it out will be lost effort.

In other words, there is for the time being only SSL to help you out.