|
|
Posted by Alvaro G Vicario on 08/18/05 11:18
*** Peter Chant wrote/escribió (Thu, 18 Aug 2005 08:05:29 +0100):
>>> Are the username and password in the login box that comes up encrypted?
>>
>> Try the Live HTTP Headers extension for Mozilla/Firefox. You'll see that
>> user and password are sent as plain text within headers on every page
>> request. Which, BTW, is the case of most authentication systems.
>>
>
> Even when using https?
HTTPS in only HTTP over SSL. It's a protocol to encrypt HTTP
communications: the underlying HTTP, *once decrypted*, remains the same.
I just meant that, if you're concerned about the security of HTTP
authentication (and you have good reasons to), using HTTPS is a very good
idea.
>> Make sure all page contents are encrypted. To all effects,
>> https://www.example.com/ and http://www.example.com/submit.png belong to
>> different web sites.
>
> Yes, but I used https://www.example.com:4430 as I was running the server on
> port 4430 and I still got the password dialog box when I tried
> http://www.example.com:4430 leading me to think that in both cases
> authentication was not password protected.
I'm not sure about your exact problem but if your form is processed under
HTTPS, it doesn't matter that the form itself is not encrypted.
:-?
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--
Navigation:
[Reply to this message]
|