DEV Community

Discussion on: Would you send a plain text password from your website to the server over a secure connection?

Collapse
 
nathanheffley profile image
Nathan Heffley

If somebody has cracked your HTTPS connection, they can probably just inject a script onto the page that steals the password before it's even transmitted.

Collapse
 
theodesp profile image
Theofanis Despoudis

Excuse me but if that would happen right now, it would be the end of the Internet...

Collapse
 
nathanheffley profile image
Nathan Heffley

Sorry, shouldn't have used "cracked." There are ways to circumvent HTTPS other than cracking it, like a MITM attack which would allow injecting a script like I said.

Thread Thread
 
theodesp profile image
Theofanis Despoudis • Edited

Even in that case, it would be the end of the Internet. Unless the HTTPS connection is very flawed or tampered already or your CA is not trusted or you have a very flawed browser that would not happen. An already established TLS connection is a very secure medium.

Now in order to prevent edge cases vulnerable to MITM attacks its recommended to add extra security controls like HSTS and Public Key Pinning among other things.

Thread Thread
 
nathanheffley profile image
Nathan Heffley

Public key pinning is a good solution.

Also, I went to check out your site and your HTTPS certificate is invalid. You should probably fix that 😜

Thread Thread
 
theodesp profile image
Theofanis Despoudis

Shoot. I forgot to renew the Domain name.

theodespoudis.firebaseapp.com/ is the correct one!