How does web browsers transfer Passwords to origin servers?

Question

My question is simple regarding password security..

As a web application developer using PHP for example, I may design a html form that accepts a username and password and post them to the webserver using the POST method..

My question is:

1- When a user enters a password for this form on a web browser, does this web browser send the password over the network as plaintext and thus insecurely?

2-isn't it possible that the web browser saves all passwords and sends them to the third party that design the web browser?

Thank you in advance

Answer 1

1. It's sent unencrypted (though possibly obfuscated) if you're using HTTP, or encrypted if you're using HTTPS.

2. Any mainstream web browser won't do that, no. It would be discovered within seconds of the browser being released. However, it's possible for such a leak to occur by other means, for example:

   o A rogue browser plugin

   o A rogue proxy on the user's network (if you're using HTTP)

   o A keylogger on the user's machine

Answer 2

1. Yes, unless you're using https, which encrypts everything sent between the server and the client.
2. Sure, but you could use a network sniffer to verify that the browser sends no information to third party servers.