I am not a Security Expert by any means. Nor am I a Cryptographer. That’s why I’m here.
After discovering that the server side of some software I work on was operating on plain text passwords (though I later determined that only the hash was stored in the database) I started researching into what parts along the way between the client and the server the password was in plain text.
I, of course, had a heart attack. I couldn’t believe that the software I was working on would ever allow someone to read a password in plain text at any point after the login button was clicked. So I started researching the question.
First I determined that the network packets were indeed encrypted via SSL. I had implemented a MitM attack against myself using Fiddler to decrypt the packets. This eased my worries, but only for about 60 seconds. I then discovered a number of blog posts by security companies advising their readers to DECRYPT and INSPECT the SSL packets being sent across their networks. The reasoning being that even Malware can use SSL, and that it often does exactly that to hide from firewalls.
Here’s where I started to get concerned. You see, I don’t trust anything or anyone when it comes to security.
If a security administrator can decrypt my SSL packets on my corporate network, why can’t a bad actor working at my ISP do the same thing?
I started researching how passwords should be transmitted via HTTPS, and ran into an interesting debate, that is mostly settled, from the early days of HTTPS. This was the debate on Client-Side vs Server-Side hashing. Server-Side hashing makes perfect sense, and clearly wins in a situation where the network packet encryption is practically impenetrable, but once you have a company’s IT department decrypting those packets, is server-side hashing really the only thing we need?