views:

297

answers:

1

Hello,

I have a question about HTTPS and HTTP Authentication credentials.

Suppose I secure a url with HTTP Authentication:

<Directory /var/www/webcallback>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/passwd/passwords
Require user gooduser
</Directory>

I then access that URL from a remote system via HTTPS, passing the credentials in the URL:

https://gooduser:[email protected]/webcallback?foo=bar

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs? I'm having a hard time locating a credible source with this information.

Thanks!

+3  A: 

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTS

Yes, yes yes.

The entire communication is encrypted when SSL is in use.

David Dorward
+1. GETs and POSTs, including the url, are encrypted. I'll only add - tools like firebug and Tamper data are able to show the un-encrypted results *only because* they are a part of the browser and hence are able to intercept the request before it is encrypted. Once sent over the wire, everything is encrypted.
sri
To be clear, everything but the domain is encrypted. If anyone stumbles across this and would like a more detailed answer, see http://answers.google.com/answers/threadview/id/758002.html
rcourtna