Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>If you also send your .html and .js files via HTTPS, then - generally speaking - no one will be able to manipulate them during transfer. Of course, there are some practical questions:</p> <ul> <li>Does the TLS implementation have any bugs?</li> <li>Are there flaws in the TLS protocol?</li> <li>Is the client's browser or computer compromised?</li> <li>Is the server compromised?</li> <li>...</li> </ul> <p>Let's assume, that's not the case. But then there's your statement:</p> <blockquote> <p>We assumed that besides SSL we never send plain-text password on wire (we hash it first).</p> </blockquote> <p>So you don't send everything via SSL? Well, the things you don't send via SSL can be stolen and manipulated during transfer. I assume, what your friend means is, that the hashed password can be stolen! Even though the attacker may not be able to reconstruct the plaintext password, he can simply use the hashed password, if your server accepts the hashed password.</p> <p>Also see my answer to <a href="https://stackoverflow.com/questions/3570623/gwt-javascript-client-side-password-encryption">GWT/Javascript client side password encryption</a>.</p> <hr> <p>About your second question:</p> <blockquote> <p>We used Wireshark to sniff requests and responses from client to SSL-enabled web server, and there are none of the RPC packages going arround. All we see are these TLS protocol packets...</p> </blockquote> <p>Well, I really hope so! Your RPC calls are the encrypted payload of these packets. You can use <a href="http://wiki.wireshark.org/SSL" rel="nofollow noreferrer">Wireshark's SSL dissector</a> to decipher the package, if you can provide the private key to Wireshark (be very careful when using with production keys!)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload