[GRLUG] HTTPS & HTTPAuth

Adam Tauno Williams awilliam at whitemice.org
Thu Sep 23 13:14:56 EDT 2010


On Thu, 2010-09-23 at 11:19 -0500, L. V. Lammert wrote:
> Setting up a secure server, .. and the docs state that the UID/PW for 
> Basic Authentication is sent as clear text,
> .. *BUT* over an https 
> connection is not the UID/PW sent over https, or is it sent before 
> the SSL connection is initialized?

It is clear text - inside the encrypted channel.  So it is reasonably
secure in-flight, but still less secure at the end-points than Digest.

> The question, then, is whether there is any reason to use Digest 
> Authentication for an https server?

Yes.  Because a single-layer of security is a thin veil of protection.
Security measures are far more effective when nested/stacked.

Digest is also technically required for HTTP/1.1.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the grlug mailing list