Ah, I was unaware of that little piece of the puzzle. So the password is never sent plaintext. Nice thinking.
2009/9/2 D. Richard Hipp <d...@hwaci.com> > > On Sep 2, 2009, at 9:23 AM, Michael Richter wrote: > > > It does if you embed the userid and password in the URL, like this: > > > > http://userid:passw...@www.domain.com/ > > > > It remembers the userid and password, but does not display them, > > unless you run the "remote-url" command with the --show-pw option. > > > > Isn't transmitting the userid and password in the clear like that a > > bit dubious? > > You seem to be assuming that the URL you type in is somehow > transmitted over the wire to the server. That is not the case. > > Fossil parses the URL that you type in and does different things with > the various pieces. The "http:" part tells it what protocol to use. > The "www.domain.com" tells it what IP address to contact. The ":80" > part (implied in the above) tells it which TCP port to use. The > "userid:password" tells it how to go about authentication. The userid > is sent in the clear. But instead of sending the password, fossil > computes the SHA1 hash of the body of the message, concatenates the > password to the end of the first hash, then does a second SHA1 hash on > the concatenation and sends the second SHA1 hash. > > D. Richard Hipp > d...@hwaci.com > > > > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users >
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
