LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Why do HTTP credentials show up in plaintext in Wireshark, but HTTPS credentials don't — even when the attacker is fully in-path?

HTTP traffic is unencrypted on the wire — anyone with packet capture sees usernames and passwords. HTTPS encrypts at the TLS layer, so the attacker sees only ciphertext, even when MitM-positioned.

HTTP example (a deliberately vulnerable web app):

POST /login HTTP/1.1
Host: dvwc.introl.ls.eee.intern
Content-Type: application/x-www-form-urlencoded

username=admin&password=hunter2     ← visible in plain text!

A simple Wireshark filter http.request.method == "POST" reveals all credentials.

HTTPS example (real mycampus.hslu.ch):

TLS Application Data
Encrypted: 4a 7e 02 bf 8c 91 ... (random bytes)

Same login, but inside the TLS encryption. The attacker sees:

  • That a connection happened (metadata)
  • The destination IP and port
  • The size and timing of packets
  • Not the contents

Why the attacker can't decrypt:

The session keys were derived using:

  1. Server's private key (which the attacker doesn't have)
  2. Both sides' random values
  3. Diffie-Hellman exchange

Without the server's private key (or some way to break the cryptography), the encrypted bytes are indistinguishable from random.

What HTTPS doesn't protect:

What's still leaked Why
Domain (via SNI) Sent in plaintext during TLS handshake
IP address & port Routing requires these in cleartext
Timing & size patterns Can fingerprint specific actions ("user just logged in")
DNS lookups (if not DoH) Plaintext DNS reveals what sites you visit

The MitM next move — SSL Stripping:

If the victim accidentally types http://bank.com (or follows an HTTP link), the attacker can:

  1. Connect to https://bank.com themselves
  2. Serve the response over HTTP to the victim
  3. Read everything the victim types

Defense — HSTS:

Strict-Transport-Security header tells browsers "always use HTTPS for this domain, never HTTP." After first visit, the browser refuses to even try HTTP → SSL stripping fails. HSTS preload list bakes this protection in for top sites from the first visit.

Tip: When testing security, always check whether HTTP fallback exists. A site that "works on HTTPS but also responds on HTTP without redirect" is an SSL-strip target.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026