Password protected access
Password protected access
am 20.05.2002 18:46:17 von RPOTTS
Is there a way to encrypt the login window That I get when I want to reach
restricted areas? I have the password file setup and can log in, but I
understand that the password is sent in plaintext. I didn't see much in the
way of documentation about this.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Password protected access
am 20.05.2002 19:02:00 von Andreas Gietl
On Monday 20 May 2002 18:46, Potts, Ross A. wrote:
Hi Ross,
it isn't true it is sent plaintext. It is sent base64 encrypted, which is in
case of security just as insecure as plaintext.
But if you connect to the host containing the password-realm via ssl/https
your password is encrypted just the same way any other data would be
encrypted with ssl.
andreas
> Is there a way to encrypt the login window That I get when I want to reach
> restricted areas? I have the password file setup and can log in, but I
> understand that the password is sent in plaintext. I didn't see much in
> the way of documentation about this.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
--
e-admin internet gmbh
Andreas Gietl
Ludwig-Thoma-Strasse 35
93051 Regensburg
tel +49 941 3810884
fax +49 941 3810891
mobil +49 171 6070008
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Password protected access
am 20.05.2002 19:03:48 von Peter Viertel
Sure,
If you're going to use the default http auth mechanism, then use SSL.
if the URL is https:// something then it's all encrypted. (ok, unless
you do something really odd with the server config).
Note that the 'password window' is something your browser displays -
once it's got the password it will usually post that password in a
header in every subsequent request to the same domain name.
If you're not planning on using SSL (one would then ask why you posted
the question to modssl-users....) then consider using mod_auth_digest.
Potts, Ross A. wrote:
>Is there a way to encrypt the login window That I get when I want to reach
>restricted areas? I have the password file setup and can log in, but I
>understand that the password is sent in plaintext. I didn't see much in the
>way of documentation about this.
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: Password protected access
am 20.05.2002 19:27:33 von RPOTTS
Actually, I am planning on having a fully https:// site. But, I still want
to restrict certain reports directories. So, let me see if I understand...
Once I am connected via SSL, then the password sent (after getting the lock
icon on the bottom) will also be encrypted?
-----Original Message-----
From: Peter Viertel [mailto:peter.viertel@itaction.co.uk]
Sent: Monday, May 20, 2002 1:04 PM
To: modssl-users@modssl.org
Subject: Re: Password protected access
Sure,
If you're going to use the default http auth mechanism, then use SSL.
if the URL is https:// something then it's all encrypted. (ok, unless
you do something really odd with the server config).
Note that the 'password window' is something your browser displays -
once it's got the password it will usually post that password in a
header in every subsequent request to the same domain name.
If you're not planning on using SSL (one would then ask why you posted
the question to modssl-users....) then consider using mod_auth_digest.
Potts, Ross A. wrote:
>Is there a way to encrypt the login window That I get when I want to reach
>restricted areas? I have the password file setup and can log in, but I
>understand that the password is sent in plaintext. I didn't see much in
the
>way of documentation about this.
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Password protected access
am 20.05.2002 19:39:33 von Andreas Gietl
On Monday 20 May 2002 19:27, Potts, Ross A. wrote:
that's right.
> Actually, I am planning on having a fully https:// site. But, I still want
> to restrict certain reports directories. So, let me see if I understand...
> Once I am connected via SSL, then the password sent (after getting the lock
> icon on the bottom) will also be encrypted?
>
> -----Original Message-----
> From: Peter Viertel [mailto:peter.viertel@itaction.co.uk]
> Sent: Monday, May 20, 2002 1:04 PM
> To: modssl-users@modssl.org
> Subject: Re: Password protected access
>
>
> Sure,
>
> If you're going to use the default http auth mechanism, then use SSL.
>
> if the URL is https:// something then it's all encrypted. (ok, unless
> you do something really odd with the server config).
>
> Note that the 'password window' is something your browser displays -
> once it's got the password it will usually post that password in a
> header in every subsequent request to the same domain name.
>
> If you're not planning on using SSL (one would then ask why you posted
> the question to modssl-users....) then consider using mod_auth_digest.
>
> Potts, Ross A. wrote:
> >Is there a way to encrypt the login window That I get when I want to reach
> >restricted areas? I have the password file setup and can log in, but I
> >understand that the password is sent in plaintext. I didn't see much in
>
> the
>
> >way of documentation about this.
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
--
e-admin internet gmbh
Andreas Gietl
Ludwig-Thoma-Strasse 35
93051 Regensburg
tel +49 941 3810884
fax +49 941 3810891
mobil +49 171 6070008
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org