Authentication question
Dave Saville
to access. Today I got an email from a new sign up that he was getting a
warning message:
"This server is requesting that your user name and password be sent in an
insecure manner (basic authentication) without a secure connection"
No one has mentioned this before out of over a thousand members but I
assume that this is because the page(s) are HTTP rather than HTTPS. I have
seen sites where the page is HTTP but user/passwords *are* encrypted - so
how do they do that?
TIA
--
Kind regards
Dave Saville
Charles Christacopoulos
Hi,
It is the browser recognising that the user is going to logon to
something which is http and gives the warning. I think ... as I used to
run https but not any more.
Cheers
Charles
--
Charles Christacopoulos, Management Information Officer,
Strategic Information Management, ICS, University of Dundee,
Dundee, DD1 4HN, Scotland, United Kingdom.
t: 44(0)1382-384891 w: www.somis.dundee.ac.uk
The University of Dundee is a Scottish Registered Charity, No. SC015096.
Zdenek Wagner
> Dave Saville wrote:
>>
>> For a long time I have been running a web site that has username/password
>> to access. Today I got an email from a new sign up that he was getting a
>> warning message:
>>
>> "This server is requesting that your user name and password be sent in an
>> insecure manner (basic authentication) without a secure connection"
>>
>> No one has mentioned this before out of over a thousand members but I
>> assume that this is because the page(s) are HTTP rather than HTTPS. I have
>> seen sites where the page is HTTP but user/passwords *are* encrypted - so
>> how do they do that?
>>
>> TIA
>>
>
> Hi,
>
> It is the browser recognising that the user is going to logon to something
> which is http and gives the warning. I think ... as I used to run https but
> not any more.
>
the user name and password are transferred unencrypted. You can use
http with AuthType=Digest. In this case information is still
unencrypted but password is not transferred. The server sends a
challenge and the browser has to respond with a response. It is
calculated using an algorithm specified in AuthDigestAlgorithm. Apache
always calculates a random challenge so that it should not be easy to
guess the real password. 20 years ago some browsers were unable to use
this authenticatioin method, I do not know how it is today. I have
never tried it, I have been using https for many years.
> Cheers
> Charles
>
>
> --
> Charles Christacopoulos, Management Information Officer,
> Strategic Information Management, ICS, University of Dundee,
> Dundee, DD1 4HN, Scotland, United Kingdom.
> t: 44(0)1382-384891 w: www.somis.dundee.ac.uk
>
> The University of Dundee is a Scottish Registered Charity, No. SC015096.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Apache for OS/2" group.
> To post to this group, send email to apa...@googlegroups.com.
> To unsubscribe from this group, send email to
> apache2+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/apache2?hl=en.
>
--
Zdeněk Wagner
http://hroch486.icpf.cas.cz/wagner/
http://icebearsoft.euweb.cz