re: Would you send a plain text password from your website to the server over a secure connection? VIEW POST

FULL DISCUSSION
 

If somebody has cracked your HTTPS connection, they can probably just inject a script onto the page that steals the password before it's even transmitted.

 

Excuse me but if that would happen right now, it would be the end of the Internet...

 

Sorry, shouldn't have used "cracked." There are ways to circumvent HTTPS other than cracking it, like a MITM attack which would allow injecting a script like I said.

Even in that case, it would be the end of the Internet. Unless the HTTPS connection is very flawed or tampered already or your CA is not trusted or you have a very flawed browser that would not happen. An already established TLS connection is a very secure medium.

Now in order to prevent edge cases vulnerable to MITM attacks its recommended to add extra security controls like HSTS and Public Key Pinning among other things.

Public key pinning is a good solution.

Also, I went to check out your site and your HTTPS certificate is invalid. You should probably fix that 😜

code of conduct - report abuse