[2925] in WWW Security List Archive
Passwords encrypted with SSL??
daemon@ATHENA.MIT.EDU (rob schuldt)
Wed Sep 11 13:24:13 1996
From: rschuld@uhc.com (rob schuldt)
To: www-security@ns2.rutgers.edu
Date: Wed, 11 Sep 1996 10:36:58 -0500 (CDT)
Errors-To: owner-www-security@ns2.rutgers.edu
The basic authentication mechanism of HTTP protocol is fine except that it sends the password over the wire in the clear and would make it
vulnerable for sniffers. Hence I was just wondering if you know of any
initiatives/product that allows s/key authentication access for web
pages.. I've seen implementations of JAVA S/key calculators around the
web and was just curious to find out if anyone has integrated it into
a S/KEY authentication mechanism for web pages?
Charles Lai
------------------------------
Someone correct me if I'm wrong here, If you have an SSL connection between
the server and the client browser. When the client attempts to access protected
documents on your site, the server will prompt for the username and password
to authenticate the user, the user then fills in this info and sends it across
the wire encrypted by SSL. So the password is (relatively) safe going across
the wire. Someone Please tell me if I'm wrong on this one.
Rob Schuldt humble intern
