httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Curley, Thomas" <thomas.cur...@euroconex.com>
Subject [users@httpd] Is basic authentication secure
Date Thu, 31 Oct 2002 14:38:39 GMT
I would appreciate some comment on the following text was provided to us by a security consultant
wrt basic authentication to a MySql DB :-

"Although the password is stored on the server in encrypted format, it is passed from the
client to the server in plain text across the network. Anyone listening with any variety of
packet sniffer will be able to read the username and password in the clear as it goes across.
Not only that, but note that the username and password are passed with every request (taken
care of by the browser), not just when the user first types them in. So the packet sniffer
need not be listening at a particularly strategic time, but just for long enough to see any
single request come across the wire .Don't use basic authentication for anything that requires
real security."


I had though that once the 'Authentication dialog' (after I request a secure URL) appears
that an SSL session is established and that effectively all transmission is via SSL - is this
correct or is the situation is that the SSL session is not initiated until after I am authenticated
?


thanks

Thomas


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message