When the user enters the password on the login page and clicks to log in, the packet capture can obtain the plaintext password, which is a security risk.
How to encrypt the password entered by the user and transmit it to the server.
Well, could you maybe elaborate on these points:
-
What is your exact scenario you have in mind where somebody can capture such a packet? Do you think about an HTTP or a HTTPS connection? Who else (except you in your browser) can read this packet?
- Is the attacker between your machine and the JupyterHub? Then an encrypted connection (e.g., HTTPS) should solve it.
- Is the attacker on your machine? Then they should not be able to easily enter into your browser.
- Is the attacker inside your browser? Then you have a problem. This is why you should be careful about what extensions you install and you should use an up-to-date browser.
- If an attacker has access to your machine, they could also run a keylogger and access the password that way. Additional ways of recording the password might be possible.
-
What kind of security concept do you have in mind to prevent such a packet capture from happening? Like, you want to encrypt the password before transmitting it? How exactly do you plan to do that? Because eventually, at some point, the password must be available in plaintext. If you encrypt the password (but not the connection), then the attacker might find it easier to just guess the encrypted password and provide that to the JupyterHub instead. The details depend on the scenario (see previous point).
-
If we talk about private data in a browser, it just is a sensitive topic. Eventually, you must trust your browser because if somebody implanted some malicious code, they do have your passwords as you type them in! This is why bugs in browsers frequently have wide-reaching consequences.
I suggest you to look out for a nice book on computer security because there are people who can explain the details much better than me 
1 Like