tags:

views:

297

answers:

1
+2  Q: 

HTTP Basic Authentication credentials passed in URL and encryption

Hello,

I have a question about HTTPS and HTTP Authentication credentials.

Suppose I secure a url with HTTP Authentication:

<Directory /var/www/webcallback>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/passwd/passwords
Require user gooduser
</Directory>

I then access that URL from a remote system via HTTPS, passing the credentials in the URL:

https://gooduser:[email protected]/webcallback?foo=bar

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs? I'm having a hard time locating a credible source with this information.

Thanks!

+3  A: 

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTS

Yes, yes yes.

The entire communication is encrypted when SSL is in use.

David Dorward  2010-04-26 21:25:00
+1. GETs and POSTs, including the url, are encrypted. I'll only add - tools like firebug and Tamper data are able to show the un-encrypted results *only because* they are a part of the browser and hence are able to intercept the request before it is encrypted. Once sent over the wire, everything is encrypted.
sri  2010-04-27 05:40:04
To be clear, everything but the domain is encrypted. If anyone stumbles across this and would like a more detailed answer, see http://answers.google.com/answers/threadview/id/758002.html
rcourtna  2010-04-29 02:03:21

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL