On Sep 2, 2009, at 9:23 AM, Michael Richter wrote: > It does if you embed the userid and password in the URL, like this: > > http://userid:passw...@www.domain.com/ > > It remembers the userid and password, but does not display them, > unless you run the "remote-url" command with the --show-pw option. > > Isn't transmitting the userid and password in the clear like that a > bit dubious?
You seem to be assuming that the URL you type in is somehow transmitted over the wire to the server. That is not the case. Fossil parses the URL that you type in and does different things with the various pieces. The "http:" part tells it what protocol to use. The "www.domain.com" tells it what IP address to contact. The ":80" part (implied in the above) tells it which TCP port to use. The "userid:password" tells it how to go about authentication. The userid is sent in the clear. But instead of sending the password, fossil computes the SHA1 hash of the body of the message, concatenates the password to the end of the first hash, then does a second SHA1 hash on the concatenation and sends the second SHA1 hash. D. Richard Hipp d...@hwaci.com _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
