Passwords in plaintext?

Burp Suite in proxy mode is able to decrypt HTTPS traffic of any systems which trust it. It does this by generating an own certificate and use this cert to register itself as a certificate authority on the system it is installed on. When it then proxies a request to a HTTPS webserver, it does the HTTPS handshake itself, decrypts the traffic, issues a certificate for the webserver signed by itself as a certificate authority, uses that certificate to re-encrypt the traffic and send both the forged certificate and the re-encrypted data to the client.

This allows Burp Suite to eavesdrop on HTTPS traffic. A user which uses a normal proxy server or doesn't trust the Burp Suite pseudo-CA would not have their credentials compromised.

Tags:

Authentication

Passwords

Tls

Burp Suite

Related

Is it possible to prove a certain email has been sent using a certain computer? Recommended key usage for a client certificate How safe are Firefox addons from official mozilla.org site? Is Django vulnerable to shellshock? New payment option on Paypal "Enter your online banking ID + password": Any mechanism that could make this safe? Is it dangerous to post my MAC address publicly? Why do browsers enforce the same-origin security policy on iframes? Does Android encryption really prevent law enforcement access? What are the differences between dictionary attack and brute force attack? How do systems protect against a stolen code-signing certificate after the certificate expires? What role do hashes play in TLS/SSL certificate validation? My IP address (with a NAS) is targeted by a hacker. What to do? Should I be worried?

Recent Posts