Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations sizbut on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

access control: is the password transmitted securely?

Status
Not open for further replies.
cheerful

cheerful

Programmer
Mar 4, 2003
173
US
When I configure a directory as following

AuthType Basic
AuthName "Restricted Files"
AuthUserFile C:/passwords
Require user foo

Apache will ask user for id/password. Are they transmitted securely? Or are they transmitted as palin text? Anyway to make it secure?

Thanks!
 
Sort by date Sort by votes
This from
Security caveat

Basic authentication should not be considered secure for any particularly rigorous definition of secure.

Although the password is stored on the server in encrypted format, it is passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across.

Not only that, but remember that the username and password are passed with every request, not just when the user first types them in. So the packet sniffer need not be listening at a particularly strategic time, but just for long enough to see any single request come across the wire.

And, in addition to that, the content itself is also going across the network in the clear, and so if the web site contains sensitive information, the same packet sniffer would have access to that information as it went past, even if the username and password were not used to gain direct access to the web site.

Don't use basic authentication for anything that requires real security. It is a detriment for most users, since very few people will take the trouble, or have the necessary software and/or equipment, to find out passwords. However, if someone had a desire to get in, it would take very little for them to do so.

Basic authentication across an SSL connection, however, will be secure, since everything is going to be encrypted, including the username and password.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
How would I be able to set up Apache with SSL? I am running the windows installation version, 2.0

Thanks!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
CentOS is Dead? 1
Replies
0
Views
259
SamBones
SamBones
spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
256
spamjim
spamjim
SamBones
  • Locked
  • Question
LINUX is Obsolete
Replies
6
Views
262
dik
dik
Agent0007
  • Locked
  • Question
HELP Traffic Control of IP
Replies
2
Views
186
Agent0007
Agent0007
eliogabalus
  • Locked
  • Question
the modem is the "guilty"?
Replies
1
Views
148
eliogabalus
eliogabalus

Part and Inventory Search

Sponsor

Back
Top