On Thu, Apr 27, 2000 at 01:05:28AM -0700, W. Mark Smith wrote:
> 1. (When) does mod_auth user/password information get encrypted?
> Without SSL, it is my understanding that this is just a base64 encoding
> (unencrypted). With SSL, is this information always encrypted since it
> has to go through the SSL protocol layer?? I think this is the case,
> but Netscape doesn't tell me that I have requested a secure document
> until AFTER I have sent the username/password. Just wanted to confirm
> that all data is encrypted when accessing the SSL http server.
>
With SSL, then everything will be encrypted - the passwords are part of
the HTTP headers, and not sent until after the SSL session has been
established. My guess about why Netscape waits, is that it has to
retrieve all elements on the page before showing the lock.
> 2. What are the pitfalls of using login-type authentication methods over
> SSL? I have seen a document warning against using /etc/passwd since
> this could be vulnerable to repetitive (e.g. dictionary) attacks. Does
> using a PAM-type authentication fix this type of problem since most PAM
> modules have some sort of authentication delay built in?
With SSL the considerations are basically the same as without - except
that it is a lot harder to sniff passwords ;-)
If you need strong authentication, you may want to look into using
client certificates.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
