[GRLUG] HTTPS & HTTPAuth
Adam Tauno Williams
awilliam at whitemice.org
Thu Sep 23 13:14:56 EDT 2010
On Thu, 2010-09-23 at 11:19 -0500, L. V. Lammert wrote:
> Setting up a secure server, .. and the docs state that the UID/PW for
> Basic Authentication is sent as clear text,
> .. *BUT* over an https
> connection is not the UID/PW sent over https, or is it sent before
> the SSL connection is initialized?
It is clear text - inside the encrypted channel. So it is reasonably
secure in-flight, but still less secure at the end-points than Digest.
> The question, then, is whether there is any reason to use Digest
> Authentication for an https server?
Yes. Because a single-layer of security is a thin veil of protection.
Security measures are far more effective when nested/stacked.
Digest is also technically required for HTTP/1.1.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the grlug
mailing list