Hello,
I just configured my apache server to use mod_ssl, and I was wondering
if someone could point me in the right direction regarding user
authentication. I have two basic questions:
1. (When) does mod_auth user/password information get encrypted?
Without SSL, it is my understanding that this is just a base64 encoding
(unencrypted). With SSL, is this information always encrypted since it
has to go through the SSL protocol layer?? I think this is the case,
but Netscape doesn't tell me that I have requested a secure document
until AFTER I have sent the username/password. Just wanted to confirm
that all data is encrypted when accessing the SSL http server.
2. What are the pitfalls of using login-type authentication methods over
SSL? I have seen a document warning against using /etc/passwd since
this could be vulnerable to repetitive (e.g. dictionary) attacks. Does
using a PAM-type authentication fix this type of problem since most PAM
modules have some sort of authentication delay built in?
Thanks,
Mark
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
