httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <>
Subject Re: [users@httpd] Is basic authentication secure
Date Thu, 31 Oct 2002 16:55:58 GMT
forcing 128 bit encryption will stop anyone outside of Canada and the US 
of getting through. I believe that 128 bit encryption is a controlled 
trade item still.
force strong will make the encryption the highest the client's browser 
is capable of.


Ben Ricker wrote:
> If the login page is encrypted through SSL, then the authentication info
> is also encrypted. This is not COMPLETELY safe, since the encryption
> level can be too small (for instance, 40bit encryption is sniffable; the
> hacker must decrypt it using other tools but it can be done), someone
> may still sniff the SSL encrypted data, crack the encryption, and get
> the user data.
> If you really want to protect the connection, force 128-bit encryption
> from the client.
> Ben Ricker
> On Thu, 2002-10-31 at 08:38, Curley, Thomas wrote:
>>I would appreciate some comment on the following text was provided to us by a security
consultant wrt basic authentication to a MySql DB :-
>>"Although the password is stored on the server in encrypted format, it is passed from
the client to the server in plain text across the network. Anyone listening with any variety
of packet sniffer will be able to read the username and password in the clear as it goes across.
Not only that, but note that the username and password are passed with every request (taken
care of by the browser), not just when the user first types them in. So the packet sniffer
need not be listening at a particularly strategic time, but just for long enough to see any
single request come across the wire .Don't use basic authentication for anything that requires
real security."
>>I had though that once the 'Authentication dialog' (after I request a secure URL)
appears that an SSL session is established and that effectively all transmission is via SSL
- is this correct or is the situation is that the SSL session is not initiated until after
I am authenticated ?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message