[GRLUG] HTTPS & HTTPAuth

[Michael Mol]

On Thu, Sep 23, 2010 at 12:19 PM, L. V. Lammert <lvl at omnitec.net> wrote:
> Setting up a secure server, .. and the docs state that the UID/PW for Basic
> Authentication is sent as clear text, .. *BUT* over an https connection is
> not the UID/PW sent over https, or is it sent before the SSL connection is
> initialized?

In an SSL connection, the encryption is set up before any data
traverses the socket.

In TLS, encryption may be set up at any point in the connection.

If you really want to be certain, though, set up Wireshark and try it
in a contained environment.

>
> The question, then, is whether there is any reason to use Digest
> Authentication for an https server?

No idea; I've only partially investigated using SSL certs for end-user
identification/authentication.

-- 
:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.