Plain text password over HTTPS

Question

I\'m currently working on a PHP OpenID provider that will work over HTTPS (hence SSL encrypted).
Is it wrong for me to transmit the password as plain text? HTTP

Answer 1

@CodeDog example has issues..

Yes, I can believe that users will log into a caffeteria box. If you are capturing logs from a corporate caffeteria, then you are the security breach. Corporate caffeterias boxes should be setup disabled, e.g. no terms, no loggers, no remote access, etc. In order to prevent you, the inside hacker.

The example is a good one of computer access security, and not really related to network security. It is provided as justification for client side hashing, but if you have computer access you could just use a keystroke logger and bypass that. The client side hash is again irrelevant. The example by @CodeDog is a computer access hack and requires techniques different from network layer hacks.

Also, a public computer hack is protected by crippling the system from threats, as mentioned above. e.g. use a chromebook for a public caffeteria computer. But that is bypassed by a physical hack. During off hours, go to the caffeteria and setup a secret camera to record keyboard presses by users. Then it doesnt matter if the caffeteria computer is crippled, OR what type of encryption is used.

physical layer -> computer layer -> client layer -> network layer -> server layer

For networking, doesnt matter if you hash on client side because the https/ssl layer will encrypt the plain passwd. So as others mention the client hashing is redundant if the TLS is secure.