3

If I sent a username and the password to a website over HTTPS, is it possible that someone on the net would save this request and re-send it later to authenticate on the website?

Matthew
  • 27,263
  • 7
  • 89
  • 101
Tony
  • 141
  • 1
  • 6

3 Answers3

8

If someone just records encrypted HTTPS session and if the connection served over the secure TLS protocol version with the strong cipher suite, then the answer is no. Neither they will be able to decrypt your credentials nor replay traffic to create bogus session. TLS protocol provides message authentication and has its own replay attack protection.

Artem Bychkov
  • 491
  • 2
  • 7
2

Unless they hijack your session (at which point you wouldn't need the re-authenticate), no. When setting up a new session the TLS protocol will negotiate a new session key. So the intercepted authentication will be encrypted with a different key making it impossible for the server to understand what the attacker has just sent. For more info on how TLS works please read this question and answer.

BadSkillz
  • 4,444
  • 25
  • 29
0

is it possible that someone on the net save this request

Since HTTPS is usually end-to-end encryption that someone needs to be at one of the ends, i.e. in the client (bad browser extension or similar) or the server (compromised server) to get the unencrypted request. The encrypted data will be of no help.

In case of legal SSL interception in firewalls that someone can be also there to access the request in plain. Illegal SSL interception (man in the middle attack) is similar, but in this case you get a browser warning which you should not ignore.

re-send it later to authenticate on my web site

If the data are grabbed then they can be resent.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • " in this case you get a browser warning which you should not ignore." I'm behind a network that pops up those warning in some websites. Does that mean they are intercepting traffic? – Joao Miesler Apr 13 '16 at 09:37
  • @JoaoMiesler: Possible but hard to tell without further details. It might also be that the sites you visit send a wrong certificate by themselves. – Steffen Ullrich Apr 13 '16 at 09:51
  • It's possible because at home I don't get those warnings. Thank you for the answer. – Joao Miesler Apr 13 '16 at 09:58