How is the password I enter in, say a Gmail login form, transferred to the web server securely?
- What does the browser or any client application do?
- What does the web server do?
views:
127answers:
3
+3
A:
By using SSL.
EDIT
A nice resource of information about security and encryption is the Security Now! podcast by Steve Gibson and Leo Laporte. Steve can explain very thouroughly how security works, so go check it out!
The latest episode (#183) is about Modes of Encryption (link to shownotes/podcast)
Zaagmans
2009-02-19 10:36:00
Removed mine!! beat me by few milli seconds :)
Shoban
2009-02-19 10:37:14
Yes, I know it encrypts. And I also have a vague idea that they use public-key cryptography but I could be wrong. Can you explain in detail?
artknish
2009-02-19 10:37:24
David Grant
2009-02-19 10:39:39
@Mr Potato Head: Thank you! That's what I heard from others too but with that information I still feel I'm not so clear about it that I can explain to someone if I'm asked.
artknish
2009-02-19 10:47:12
@Zaagmans: Thanks! I'll listen to those podcasts. Cryptography always fascinated me but everytime I read about something about it in Wikipedia, I see 10,000 other unfamiliar jargons that confuse me.
artknish
2009-02-19 10:48:48
@Srikanth: You are welcome! I'm subscribed to the podcast since about episode 30 and all I can say is that I've learned a LOT since then about security and encryption!
Zaagmans
2009-02-19 11:32:13
@Zaagmans: I listened to 1 episode, "Symmetric Stream Ciphers." Steve Gibson did a fantastic job in explaining and Leo supported him very well. I'm subscribed! Thanks again!!
artknish
2009-02-23 13:55:36
+1
A:
In the case of GMail, or any other form based authentication, the protection comes from the transport layer. If you are sending the form via HTTP, there is basically no protection. If you send the form using SSL (which you should be using) the protection comes from SSL. You can read more about SSL at http://en.wikipedia.org/wiki/Transport_Layer_Security
Guillaume
2009-02-19 10:37:17
A:
This depends entirely on whether it's an HTTPS or HTTP request. In general, HTTP authentication requests are sent in what's called "plaintext equivielent". It's Encoded in Base-64, which is easily reversed so it's basically considered plaintext... meaning it's not secure.
Some browsers, like Internet Explorer have some extensions to allow "secure" passwords to be sent to servers that understand, and can decode them. This generally means IIS running in a domain environment. I put secure in quotes because, as most things Microsoft does, the amount of true security is often up for discussion.
If you're using HTTPS, the password is still sent the same way, but because it's passing over a secure transport it doesn't matter if the password is cleartext or not, since the transport is encoding it.
Mystere Man
2009-02-19 10:51:03