I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

  • iamak@infosec.pubOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    First of all thanks for the very detailed response. I have a few questions.

    1. Like you said, why not use public key cryptography? Why is it not well supported for web-apps?

    2. Why not use something like Diffie-Hellman algorithm to share the password? Signal protocol uses ECDHE so I am assuming that it’s safe against mitm which the base Diffie-Hellman is vulnerable to (I might be wrong. I couldn’t find if it waa vulnerable or not).

    • 0x7d0@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      You are describing TLS, which is commonly used for websites and web apps.

      Try the following command:

      openssl s_client -connect infosec.pub:443
      

      The public key, the authority that signed the certificate, and the cypher used will all be visible.

      For me, the cipher used is ECDHE-RSA-AES256-GCM-SHA384.

      • iamak@infosec.pubOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Oh. Okay. I’ll check it out once. I’m pretty new to all this so I didn’t know this is how SSL works.