httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joey Hewitt <j...@joeyhewitt.com>
Subject Re: [users@httpd] Encrypting things
Date Sun, 16 May 2004 23:58:16 GMT
Quoting Eugene Lee <list-apache@fsck.net>:

> On Sun, May 16, 2004 at 02:55:12PM -0500, Jim Sabatke wrote:
> :
> : I want to encrypt a page (with lots of password info) so
> : that it decrypts when I access it.
>
> This is useful only when it's inevitable that regular users can get
> public access to the encrypted content.  Instead, put that page in its
> own directory and then set up password protection on the directory.

  Yes, and for encryption, you could use OpenSSL.  I believe you can rig it so
that the SSL certificate presented to the server by your client can be
converted into a username/password for use by HTTP Basic Authentication.  So
you could make a certificate for yourself, plug it into IE or whatever browser
you use, and then browse to your site (probably will need the https:// syntax
for the address, unless you want to do something non-standard).  It will be
sent encrypted to you and your browser will transparently decrypt it.  Only you
will be able to do this, because only you will have your private key and
certificate (hopefully.)  For extra protection, you can passphrase-protect that
certificate/key pair.  Of course, this only works in certain situations, like
when you want to be able to access your password list from your desktop -- but
what about if you're on another computer?  I've never done this, but I
understand it's possible.
  For less security, you can simply password protect (no encryption) with HTTP
Basic Authentication -- I've done that: On my home page, I have a full-stop (.)
on one of my sentences that links to a password-protected page that gives
shortcut links to my SSL-secured webmail and Java-applet secure-shell access to
my server and desktop.  This works nicely for me because it's not very likely
that anyone will notice the link (until I tell everyone here about it ;)), it's
then protected by password, and everything that's linked to on that page is
under its own unique password anyways.  I even have a simple password for quick
& easy access on the HTTP Auth because it wouldn't matter much if anyone broke
it.  I don't know how tight Apache is about HTTP Authentication like this --
I'm sure it's fairly secure, but it's not a critical issue to me, so I haven't
looked into it.
  If you mean you want to store content encrypted on hard-disk and have Apache
decrypt it before it's sent, I'm not aware of a meaningful way to do so, but
I'd imagine it can be done.
  Your solution really depends on how transparent you want the enc/decryption
process to be and when/where you want it to occur.  HTH,
==Joey

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message