2

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments
[-] iamak@infosec.pub 1 points 1 year ago

First of all thanks for the very detailed response. I have a few questions.

  1. Like you said, why not use public key cryptography? Why is it not well supported for web-apps?

  2. Why not use something like Diffie-Hellman algorithm to share the password? Signal protocol uses ECDHE so I am assuming that it's safe against mitm which the base Diffie-Hellman is vulnerable to (I might be wrong. I couldn't find if it waa vulnerable or not).

[-] vedard@infosec.pub 1 points 1 year ago

You are describing TLS, which is commonly used for websites and web apps.

Try the following command:

openssl s_client -connect infosec.pub:443

The public key, the authority that signed the certificate, and the cypher used will all be visible.

For me, the cipher used is ECDHE-RSA-AES256-GCM-SHA384.

[-] iamak@infosec.pub 1 points 1 year ago

Oh. Okay. I'll check it out once. I'm pretty new to all this so I didn't know this is how SSL works.

this post was submitted on 18 Jul 2023
2 points (100.0% liked)

Discussions related to Infosec.pub

1122 readers
1 users here now

founded 1 year ago
MODERATORS