Re: does ssl encrypt basic auth?

2000-02-06 Thread Ralf S. Engelschall 


In article <[EMAIL PROTECTED]> you wrote:
> David McCabe wrote:
> 
> [...]
> SSL traffic is encrypted before the first HTTP byte goes over the wire.

Yes, exactly.
(At least as long as the NULL cipher is not used ;)

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com

RE: RE: does ssl encrypt basic auth?

2000-02-06 Thread mads 

David McCabe wrote:
>
> If the first connection to a web site causes the
> authentication to be activated, the
> password is _NOT_ encrypted. A successfull connection has to
> be established with a
> secure web site before the encryption is turned on.

You've got something completely wrong here. The way the SSL
protocol works, the first thing that happens is that an
encrypted channel is set up - only after that, you'll have
the http (encrypted) communication.
But take a look at http://www.modssl.org/docs/2.5/ssl_intro.html
for a great explanation of the protocol.

Sorry guys, I know that this is OT but I really had to clear that
one up :)

vh

Mads Toftum, QDPH
---
System Designer / Developer
Tele Danmark Nøglecenter - http://www.certifikat.dk/
email: [EMAIL PROTECTED] / [EMAIL PROTECTED]

RE: does ssl encrypt basic auth?

2000-02-06 Thread dreamwvr 

hi,
   the ssl provides end to end encryption for all data transferal but if 
this did not exist the actual text would then be in the clear..
 > Ed Loehr wrote:
> > 
> > Is a basic authentication password, entered via a connection to an
> > https/SSL server, encrypted or plain text across the wire?
> > 
> Encrypted - but that question really doesn't belong here.
> It has nothing to do with modperl.
> 
> vh
> 
> Mads Toftum, QDPH
> --
> The brain is a wonderful organ; it starts working the moment you get up
> in the morning, and does not stop until you get to work.
-- 
___

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..

DREAMWVR.COM - The Console of Many... 90 Topics Covered
 
->> LINUX-MANDRAKE Solution Provider and North American Distributor <<-
PRODUCT OF THE YEAR!

"===0 PGP Key Available 
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"

Re: does ssl encrypt basic auth?

2000-02-06 Thread David McCabe 

> From: "Jeffrey W. Baker" <[EMAIL PROTECTED]>
> Date: Sun, 06 Feb 2000 09:55:06 -0800
> Subject: Re: does ssl encrypt basic auth?
> 
> Do you have some documentation on that?  I say you are smoking crack.

When I set up my first secure site four years ago, the bank involved, (a major national
bank in Canada) insisted their tests proved what I said, and they had concerns about 
the
Cybercash admin pages for the store owners to admin their databases. I set it up the 
way I
said, and we passed their tests.

Maybe things are different with webservers now, but then, with the software we used 
(true,
it was not a Netscape server), the authentication was activated before the ssl. :(

You are right, I should do some tests now, and see what webservers do what now. I hope 
ssl
first, like you quoted. We use a lot of SecurID authentication here, even for web, so
encryption of the password is not really an issue anymore. :)

Now we are really off-topic. Lets kill it.



David McCabe  Unix SysAdmin/Peon
Le Groupe Videotron [EMAIL PROTECTED]   (514) 380 4433

Who were the beta testers for Preparations A through G?

Re: does ssl encrypt basic auth?

2000-02-06 Thread Jeffrey W. Baker 

David McCabe wrote:

> Yes, it is off-topic, but I am replying anyway, because you are slightly wrong. :)
> 
> If the first connection to a web site causes the authentication to be activated, the
> password is _NOT_ encrypted. A successfull connection has to be established with a
> secure web site before the encryption is turned on. After the first connection, every
> other connection is then encrypted. The best way to ensure the password is encrypted
> is to have one unprotected page to go to, with links to the protected parts. Client
> connects to that page, encryption is on. Click on a link to a protected area,
> authentication goes on, but everything is now encrypted, including username/password
> given for authentication.

Do you have some documentation on that?  I say you are smoking crack.

I refer you to these:

[1] http://home.netscape.com/eng/ssl3/draft302.txt
[2] http://www.modssl.org/docs/2.5/ssl_intro.html#figure1

Specifically, from 1:

   The SSL Record Protocol is used for encapsulation
   of various higher level protocols.  One such encapsulated protocol,
   the SSL Handshake Protocol, allows the server and client to
   authenticate each other and to negotiate an encryption algorithm
   and cryptographic keys before the application protocol transmits or
   receives its first byte of data.

SSL traffic is encrypted before the first HTTP byte goes over the wire.

-jwb

Re: RE: does ssl encrypt basic auth?

2000-02-06 Thread David McCabe 

> From: [EMAIL PROTECTED]
> Date: Sun, 06 Feb 2000 11:11:37 +0100
> Subject: RE: does ssl encrypt basic auth?
> To: [EMAIL PROTECTED]
> 
>  Ed Loehr wrote:
> > 
> > Is a basic authentication password, entered via a connection to an
> > https/SSL server, encrypted or plain text across the wire?
> > 
> Encrypted - but that question really doesn't belong here.
> It has nothing to do with modperl.

Yes, it is off-topic, but I am replying anyway, because you are slightly wrong. :)

If the first connection to a web site causes the authentication to be activated, the
password is _NOT_ encrypted. A successfull connection has to be established with a
secure web site before the encryption is turned on. After the first connection, every
other connection is then encrypted. The best way to ensure the password is encrypted
is to have one unprotected page to go to, with links to the protected parts. Client
connects to that page, encryption is on. Click on a link to a protected area,
authentication goes on, but everything is now encrypted, including username/password
given for authentication.







David McCabe  Unix SysAdmin/Peon
Le Groupe Videotron [EMAIL PROTECTED]   (514) 380 4433

Who were the beta testers for Preparations A through G?

Re: does ssl encrypt basic auth?

2000-02-06 Thread Ed Loehr 

[EMAIL PROTECTED] wrote:
> 
>  Ed Loehr wrote:
> >
> > Is a basic authentication password, entered via a connection to an
> > https/SSL server, encrypted or plain text across the wire?
> >
> Encrypted - but that question really doesn't belong here.
> It has nothing to do with modperl.

Yes, some of your fellow off-topic police have already served notice
privately.  My unstated context was that mod_perl authentication was
giving me fits, and in my effort to find an alternative, I (gasp)
posted off-topic.  I'm just glad you're watching.  :(

RE: does ssl encrypt basic auth?

2000-02-06 Thread mads 

 Ed Loehr wrote:
> 
> Is a basic authentication password, entered via a connection to an
> https/SSL server, encrypted or plain text across the wire?
> 
Encrypted - but that question really doesn't belong here.
It has nothing to do with modperl.

vh

Mads Toftum, QDPH
--
The brain is a wonderful organ; it starts working the moment you get up
in the morning, and does not stop until you get to work.

does ssl encrypt basic auth?

2000-02-05 Thread Ed Loehr 

Is a basic authentication password, entered via a connection to an
https/SSL server, encrypted or plain text across the wire?