Question

当我注意到每当我通过HTTP登录Facebook时，我正在玩Chrome开发工具，开发工具中的网络选项卡可以显示该请求的正文以及数据包正文中的用户名和密码

然后我切换到HTTPS（甚至勾选设置页面中的设置以始终使用HTTPS）。即使这样，我的密码仍然以纯文本形式出现。这是为什么？以下是证明这一点的截图。（注意我出于安全原因输入了错误的密码）

password and email in plaintext even though over HTTPS

在网络工具嗅探该数据包后，它是否只是加密了？我如何测试以确保数据包真的是加密的？

作为参考，是POST请求的转储：

Request URL:https://www.facebook.com/login.php?login_attempt=1
Request Method:POST
Status Code:200 OK
Request Headers
:host:www.facebook.com
:method:POST
:path:/login.php?login_attempt=1
:scheme:https
:version:HTTP/1.1
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-encoding:gzip,deflate,sdch
accept-language:en-GB,en-US;q=0.8,en;q=0.6,pt;q=0.4
cache-control:max-age=0
content-length:324
content-type:application/x-www-form-urlencoded
// Deleted a few cookies for security reasons...
dnt:1
origin:https://www.facebook.com
referer:https://www.facebook.com/?stype=lo&jlou=Afd7GLl1MQLgCyvMMjJenU4EvxR4ANAAflf50TeVZaJHh-yNP6tZEzME3PYy-DNM3CVM8ttZVaZGimz6ijlniIJDFRiB-0Qw-DC7nSw4tHLIiw&smuh=30769&lh=Ac8k0ZF0uJVvz4_n
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Query String Parametersview sourceview URL encoded
login_attempt:1
Form Dataview sourceview URL encoded
lsd:AVqqq2cf
email:gkrinker@gmail.com
pass:123
persistent:1
default_persistent:1
timezone:-60
//deleted a few session ids for security reasons...
locale:en_Uiew source
cache-control:private, no-cache, no-store, must-revalidate
content-encoding:gzip
content-type:text/html; charset=utf-8
date:Tue, 25 Feb 2014 22:12:02 GMT
expires:Sat, 01 Jan 2000 00:00:00 GMT
p3p:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
pragma:no-cache
set-cookie:wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
set-cookie:act=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
set-cookie:datr=TuvNUR6ZSfKVMK3QwA50-qF8; expires=Thu, 25-Feb-2016 22:12:02 GMT; path=/; domain=.facebook.com; httponly
set-cookie:sfiu=AYi8HE2Cetp79id0RVGdEL2fpeUeVwYCuNpgooZtuzNhmseXX4IOJza76oWsoRIhFgvt2CzXEC5AR6j5J2nhUHrrSxrkcXJp3J2QXFMWGn7tCYbZWATyigAk8GXLm-1VkVttzp2hgVEXKNS7e5Tdxw0gOhcX-1yK8jp6sgEwPPRXcQ; path=/; domain=.facebook.com; httponly
set-cookie:dpr=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
set-cookie:_e_0BOa_1=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
set-cookie:reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com
set-cookie:reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Flogin_attempt%3D1; path=/; domain=.facebook.com
set-cookie:_e_0BOa_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
status:200
strict-transport-security:max-age=0
version:HTTP/1.1
x-content-type-options:nosniff
x-fb-debug:gAsXRZwDHjUchVaRN+tSxFB1HNch3rTCqXW6744DdQI=
x-frame-options:DENY
x-xss-protection:0

Chrome开发工具甚至通过HTTPS以纯文本显示Facebook密码

0 个答案: