Credential in plain text
Reported by
ravisain...@gmail.com,
May 22 2016
|
||
Issue descriptionThis template is ONLY for reporting privacy issues. Please use a different template for other types of bug reports. Please see http://www.chromium.org/Home/chromium-privacy for further information. PRIVACY ISSUE Please provide a brief summary of the privacy issue. VERSION: Chrome Version: All Operating System: All REPRODUCTION STEPS I just noticed while working with one of the proxy device, enabled SSL scanning and break the direct SSL handshake between client and google, we can see the username and password flowing in the plain text, In an organization using proxies, it's a direct violation of privacy. Could it be blocked using any java script to generate hash/encrypt login information instead of plain text in a HTTP POST request.
,
May 23 2016
WontFix/WorkingAsIntended If you are capable of breaking the SSL handshake, then you've either compromised a CA (which is a far more serious event), or, more likely, you have administrative access on a machine. Administrative access on a machine is explicitly outside of Chrome's security model. You can find more details explaining this at https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters- and https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-
,
May 23 2016
You're right, I have admin privilege of the machine and an internal CA is installed in my trusted root CA DB, most companies do that , just a suggestion if it's possible to send password in hash/encrypted in a POST method so the admin of the proxy should not take advantage of it :) |
||
►
Sign in to add a comment |
||
Comment 1 by battre@chromium.org
, May 23 2016