httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Christian Imbeault ...@mega-bucks.co.jp>
Subject Re: When SSL is overkill
Date Wed, 03 Jul 2002 12:02:05 GMT
Jens Stavnstrup wrote:

>
>Is it possible to configure a server, so
>
>   - when entering the server, authentication is done over SSL
>   - After the user sucessfully logged in, the contents of the the server 
>     can be transfered using only http
>
I can't answer your question but isn't what you are trying to do kind of 
pointless? Of course it is a good idea not to transmit passwords in 
clear text but ...

If the idea of using SSL is to stop people from picking up your password 
and then use it to access the restricted ressources ... anyone who as 
the kno-how to listen on your transmissions to pick up your clear-text 
password certainly won't find it anymore difficult to just listen and 
instead of picking up your password pick up the ressources (files, 
etc...) that are being sent unencrypted.

Just my two cents,

Jc


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message