Is posting unencrypted passwords to an HTTPS server unsafe?

Question

I have a PHP page on my SSL server which acts as a REST API effectively. What I need to do is take the unencrypted password from a different domain and POST to my page. After this, the server returns the encrypted data in JSON. I do this with my current website as a POST from the same domain is completely secure but I am not sure about from a different domain? Is there any way a hacker can intercept the POST data before it is encrypted?

Thanks

Kabeer

score 2 · Accepted Answer · answered Aug 14 '15 at 10:16

2

I didn't comprehend what you're describing in your question, but as for your title:

Is posting unencrypted passwords to an HTTPS server unsafe?

No, it is completely safe. Millions of websites do this every day via their login forms.

answered Aug 14 '15 at 10:16

Jonathon Reinhart

132,704
33
254
328

score 1 · Answer 2 · answered Aug 14 '15 at 10:15

If you are receiving the POST data via HTTPS, then it is encrypted in transit and not easily intercepted. It is encrypted using a shared symmetric key between the client and the server, so that only they can decrypt each other's messages.

See How exactly HTTPS (ssl) works

score 1 · Answer 3 · answered Aug 14 '15 at 18:39

1

I wouldn't say it is safe, but I would agree that it is fairly common to pass unencrypted user/pass and only depend on TLS/SSL... TLS/SSL has been compromised a few times over the last couple of years, so depending entirely on it can involve risk.

answered Aug 14 '15 at 18:39

Joshua Sprague

121
3

Is posting unencrypted passwords to an HTTPS server unsafe?

3 Answers3