Hacker News new | past | comments | ask | show | jobs | submit login

Don't most websites send passwords in plaintext for login and rely on the connection being HTTPS for having any security at all? I don't like that, but seems to be very common, so I'm not surprised about the plaintext part of this article. But that the passwords are at all sent to a server, that did surprise me, good to know.



Plaintext can mean a few things - encrypted in transit using an HTTPS connection means it's no longer plaintext.


The article and source material are light on details here. My guess is that it is using HTTPS, but the researchers saw the plaintext password in the request and assumed “password in plaintext always bad”.

If the app isn’t using HTTPS, then the story would be much bigger than just the password being plaintext.


How would they have been able to see the content of a request from the router to AWS if it was HTTPS?


You can MITM HTTPS, the device just needs to trust the cert (which isn't hard to do)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: