Passwords sent as plaintext? - eviltoast

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

  • 0x7d0@infosec.pub
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    You are describing TLS, which is commonly used for websites and web apps.

    Try the following command:

    openssl s_client -connect infosec.pub:443
    

    The public key, the authority that signed the certificate, and the cypher used will all be visible.

    For me, the cipher used is ECDHE-RSA-AES256-GCM-SHA384.

    • iamak@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Oh. Okay. I’ll check it out once. I’m pretty new to all this so I didn’t know this is how SSL works.