httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave" <d...@hawk-systems.com>
Subject RE: When SSL is overkill
Date Wed, 03 Jul 2002 13:16:48 GMT
>>Is it possible to configure a server, so
>>
>>   - when entering the server, authentication is done over SSL
>>   - After the user sucessfully logged in, the contents of the the server
>>     can be transfered using only http
>>
>I can't answer your question but isn't what you are trying to do kind of
>pointless? Of course it is a good idea not to transmit passwords in
>clear text but ...
>
>If the idea of using SSL is to stop people from picking up your password
>and then use it to access the restricted ressources ... anyone who as
>the kno-how to listen on your transmissions to pick up your clear-text
>password certainly won't find it anymore difficult to just listen and
>instead of picking up your password pick up the ressources (files,
>etc...) that are being sent unencrypted.

Unless the information isn't sensitive enough to justify the additional load of
SSL, but the authentication is also system uid/pw sets, in which case the
information is only a minor concern, but having any uid/pw sets sent in the
clear is dangerous.  Personally I agree though, unless you are working on a real
sparse box, might as well just go all secure for the areas you are resticting
access to.

Now to the methodology.  There may be a simpler way, but we use PHP extensively.

Have the index page of the "secure" directory check if the use is currently in
SSL, if not, redirect to itself in https://...  this ensures your login is
secure.

Have the form (or whatever validation) verify the user, then redirect to your
page in http:// mode.

With relative ease you should be able to reproduce this with Perl in an
index.cgi script or some sort.

Dave


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message