Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I could do with some guidance reguarding password encryption.
I've written a script to login to a HTTPS website and retrieve a session token. I'm using OpenSSL and have created the certificates which appear to work.
My concern is whether or not the username and password are being sent in plain text in the content of the POST. Do I need to encrypt them before posting? If so, how do I do that?
Here is the code: 

#!c:\perl\bin\perl -w

use warnings;
use strict;

#use Crypt::SSLeay;
use LWP::UserAgent;
use Net::SSL (); # From Crypt-SSLeay
use Data::Printer;
use Time::HiRes qw(time);
#use HTTP::Request::Common;

#use LWP::Debug qw(+);
#use IO::Socket::SSL qw(debug3);

#BEGIN {
#    $Net::HTTPS::SSL_SOCKET_CLASS = "Net::SSL"; # Force use of Net::S
+SL
#}


my $loginUrl = 'https://xxxxxxxxxxx.com/api/login';
my $username = "xxxxx";
my $password = "yyyyy";
    
my $appkey = "abcde12345";
my $ssid;


$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_CERT_FILE} = "C:/OpenSSL-Win32/bin/client-2048.crt";
$ENV{HTTPS_KEY_FILE}  = "C:/OpenSSL-Win32/bin/client-2048.key";
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;

my $ua = LWP::UserAgent->new;
$ua->timeout(15);

my $loginReq = HTTP::Request->new(POST => $loginUrl );

$loginReq->header(
                    'Accept'=>"application/json",
                    'X-Application'=>$appkey,
                 );
    
$loginReq->content_type('application/x-www-form-urlencoded');
$loginReq->content("username=${username}&password=${password}");
    
print "\n\nLogin....\n\n";    
    
my $loginRes = eval { $ua->request( $loginReq ) };
#print p($loginRes);
print "\n\nas_string:\n".$loginRes->as_string;
print "\n\nmessage:\n".$loginRes->message;
print "\n\ncontent:\n".$loginRes->content;
    
if ( ($loginRes) and ($loginRes->message eq "OK") ){
    if ( $loginRes->content =~ /{"sessionToken":"(.*?)","loginStatus":
+"SUCCESS"}/ ){
        $ssid = $1;
    }
}

print "\n\nssid = $1 \n\n";    
    
exit;

[download]

And here is the output: 

Login....

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A


as_string:
HTTP/1.1 200 OK
Connection: close
Date: Thu, 06 Feb 2014 15:00:47 GMT
Content-Length: 87
Content-Type: application/json;charset=UTF-8
Client-Date: Thu, 06 Feb 2014 15:00:16 GMT
Client-Peer: 84.20.200.150:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Netwo
+rk/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign 
+Class 3 International Server CA - G3
Client-SSL-Cert-Subject: /C=GB/ST=United Kingdom/L=London/O=xxxxxxxxxx
+xxxxx/OU=xxxxxxxx/CN=xxxxxxxx.com
Client-SSL-Cipher: RC4-SHA
Client-SSL-Socket-Class: Net::SSL
Client-SSL-Warning: Peer certificate not verified
POOL: /Common/PRDSSO

{"sessionToken":"HeKrc1c7tRYOwvBkHP5iuR/P/Q6lHqcxLkOKT5+gP5I=","loginS
+tatus":"SUCCESS"}


message:
OK

content:
{"sessionToken":"HeKrc1c7tRYOwvBkHP5iuR/P/Q6lHqcxLkOKT5+gP5I=","loginS
+tatus":"SUCCESS"}

ssid = HeKrc1c7tRYOwvBkHP5iuR/P/Q6lHqcyZkOKT5+gP5I=

[download]

Replies are listed 'Best First'.
Re: HTTPS and LWP - Is my password encrypted
by ww (Archbishop) on Feb 06, 2014 at 20:10 UTC

    You can pretty much answer your own question: see http://wiki.wireshark.org/Tools.

    Or, you could read up on how https works... which -- oversimplified -- means it and the user's agent negotiate a session key (ie, encryption element) BEFORE data like passwords is sent over the wire. For slightly more precise info, check http://en.wikipedia.org/wiki/HTTP_Secure (or, better yet, read the authoritative docs).

    Update: Borked link to the wireshark tools wiki page fixed. Thanks, erix, for the heads up!

    Come, let us reason together: Spirit of the Monastery
[reply]
Re: HTTPS and LWP - Is my password encrypted
by locked_user sundialsvc4 (Abbot) on Feb 06, 2014 at 21:32 UTC

    To assuage your immediate fears, in an HTTPS (that is, SSL) exchange, everything in the exchange is encrypted, although you do not see the encryption/decryption being performed.   Thus, the token is not visible to anyone else . . .

    . . . I - F . . . you are absolutely certain that the exchange is taking place through SSL as it should be, and as certainly appears to be the case here.   However, it still pays to make sure, for example in the server-side code (and, really, in client-side as well) that any exchanges which you expect to be encrypted, actually are.   Some systems have been exploited, in part, by sending login-request API-calls to non-encrypted versions of URLs and finding that a valid access token was returned along a wide-open channel.   Even your client-side JS code should not accept a JSON-response that came from an open channel.   (“Trust, but Verify.™”)

Back to Seekers of Perl Wisdom