I am confuse regarding aspects of password encryption the following scenario. While debugging a network response from a Android app using fiddler or wireshark which create a type of proxy server that allows me to see whatever request going from the app to the server. In the response in raw format is the password and it is clearly visible in the post request. As on server end by using password_hash and password_verify we are protecting password. But if someone else on network end can view password then encryption at server end is no use. Is their any way I can send encrypt password from app and it's converted in some other form and after that password _hash function encrypt it. (even in HTTPS I can see post request)
Asked
Active
Viewed 138 times
1
-
3This is what HTTPS / TLS is for. – ChrisGPT was on strike Jan 09 '17 at 19:32
-
Any implementation in psudo form you can explain – antoniomerlin Jan 09 '17 at 19:34
-
What does "even in HTTPS I can see post request" mean? Exactly how do you "see" the password with HTTPS? – ChrisGPT was on strike Jan 09 '17 at 19:34
-
In HTTPS request I am able to see password in fiddler – antoniomerlin Jan 09 '17 at 19:35
-
if so then use [this](http://stackoverflow.com/questions/1205135/how-to-encrypt-string-in-java) on client side and reverse on server side – Arpit Solanki Jan 09 '17 at 19:37
-
1Please provide a _detailed_ explanation of what you are doing. Enough that we could fully reproduce it. Where is Fiddler running? On your client? On your server? Somewhere else? Which implementation of Fiddler? – ChrisGPT was on strike Jan 09 '17 at 19:37
-
1@ArpitSolanki, no. There's no need to manually encrypt then decrypt the data. That adds unnecessary steps, each of which is an opportunity to make a mistake. HTTPS / TLS is all that's required. – ChrisGPT was on strike Jan 09 '17 at 19:38
-
Agreed @Chris . – Arpit Solanki Jan 09 '17 at 19:39
-
Fiddler is on a pc of which ip and port (8888) is set up in tab wifi advanced settings options where proxy is set to manual mode. Now when the tab send request to server API it go through fiddler then to server. Well this is the setup – antoniomerlin Jan 09 '17 at 19:44
1 Answers
0
The solution to securing the password in transit with HTTPS is to "pin" the certificate. Essentially that means to verify that the certificate received on establishment of the connection is to the correct server.
MITM and proxy attacks use a certificate that is not a valid certificate for the server and will be refused.
See: HTTP Public Key Pinning.
zaph
- 111,848
- 21
- 189
- 228