httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Brayton <jb-apa...@virtualsanity.com>
Subject Re: When SSL is overkill
Date Wed, 03 Jul 2002 13:30:36 GMT
> However, most of the restricted material, could just a well be placed 
> on a
> normal http, if it was not for the access control. I am currently using
> Basic authentication on the SLL, which ensures that my password is not
> transfered in clear text.
>
> Is it possible to configure a server, so
>
>    - when entering the server, authentication is done over SSL
>    - After the user sucessfully logged in, the contents of the the 
> server
>      can be transfered using only http

You could use digest authentication which is designed to do exactly 
this.  See:

     http://httpd.apache.org/docs/howto/auth.html#digest

But there are several caveats, which are documented on that page.  In 
addition, there are known incompatibilities between digest 
authentication in IE and Apache.  This is documented at:

     http://www.eweek.com/print_article/0,3668,a%3D24177,00.asp

You may also want to check out this system, which does form-based 
authentication via a JavaScript performing a secure hash on the username 
and/or password:

     http://pajhome.org.uk/crypt/md5/

I believe that this is *less* secure than using Basic Authentication via 
HTTPS, but more secure than Basic Authentication via HTTP.  And it 
avoids some of the SSL administration headaches.

John


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message