in reply to Encrypting User/Pass sent by WWW::Mechanize

It sounds like the web page you are logging onto is using HTTPS (a secure encrypted connection).

You can confirm this by looking at the first part of the Address bar in your web browser when you log into your brokerage account. If it says "https://" at the front, you are using HTTPS. If it says "http://" at the front, you are using an unencrypted connection.

If it does say https, try substituting http in the Address bar of your web browser, and login again. If it doesn't work this means your server only allows encrypted login.

Now check whether your username and pass are submitted via a GET or POST. You can do this by logging into your brokerage account and then look at the first Address after you login. If it contains your username somewhere in it, than it is GETing, if it doesn't than you are POSTing.

Finally if you are POSTing and your server requires HTTPS, and your script in its current form works - than your username and password are already being encrypted by HTTPS and you do not need to do it a second time.

In any case, chances are no-one is going to sniff your password. If a professional wanted to do it - they can always hack the DNS system to setup a fake proxy between you and the server. Several people in Switzerland have had their online banking hacked and money stolen by some Russians just recently using this technique. The banks used timed-sessions over HTTPS and had snail-mailed user IDs and passwords, but they still got through. Feel safe? :)


Andrew Tomazos  |  |