HTTPS is critical for ensuring a secure connection between a website and a browser. Users are at danger while using public wifi networks, and HTTPS is the only solution that can protect user accounts from this vulnerability when used appropriately.
HTTPS is critical because it does much more than “encrypt passwords.” Another critical job is to prevent the user from logging into a rogue server that is masquerading a legitimate one. Using a mechanism to protect the password alone is still a violation of OWASP A9 – Inadequate Transport Layer Protection since you are still communicating session credentials in plain text, which is all the attacker need.
1- A secure transport layer cannot be built using JavaScript-based encryption.
2- “Tokenize logins”: If an attacker sniffs the traffic, they will have the plain text username/password and can simply login with these new credentials. (Attack replay)
3- “Somehow encrypt the communicated password”: After the user logs in, an attacker can sniff the traffic to obtain the valid session id (cookie) and then use this instead of logging in. This is not a problem if the whole session was encrypted using SSL/TLS.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.