Plaintext formdata on login POST?

Nextcloud version (eg, 20.0.5): 21.0.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.46
PHP version (eg, 7.4): 8.0.3

The issue you are facing:
I can see that clients send passwords in plaintext from the login screen. Is this expected?
I know I am using SSL/HTTPS and all, but wouldn’t the server receive this in cleartext as well? One of my users have noticed this, and I then would like to know if this is supposed to be the case.
Pardon my lack of knowledge on the specific area, and I appreciate any good explanations :slight_smile:

Steps to replicate it:

  1. Go to login screen, open up dev tools in your browser
  2. Write username and password (test, test)
  3. See the request output in cleartext

Hi @denNorske

The password cannot be hidden in the browser’s network inspector. But it will only get cached and displayed there, if you open the console and explicitly start the capture process. As soon as you close the console or load a new page, the information will get deleted.

To test if the data that gets transmitted really is encrypted you would have to use tools like Wireshark that monitor the traffic directly on the network interface of your computer or somwhere in between your computer and the server. It can’t be done directly in the browser, because the browser always sees the information you type in in cleartext, before it gets transmitted. But usually you can trust the lock symbol in your browser. If it is locked and shows “connection secure” if you click on it, the connection is encrypted and everything should be fine :slight_smile:

Hope that helps

1 Like