tags:

views:

41

answers:

2
+4  Q: 

Can an authentication via HTTP over IIS be encrypted (without SSL)?

I'm accustomed to *nix servers and if we wanted a completely secure sign in screen, we (as far as I am aware) are to use SSL via HTTPS. Our overseeing organization at work use Windows Servers for serving web pages. On one such page they are authenticating network credentials. This page is using HTTP, and what appears to be Basic Auth (a popup dialog) for an SQL Server Report Manager.

They say Basic is disabled in IIS.

In my limited experience with IIS at college, I (think I) recall subdomains can override general settings. They believe it's using Integrated Windows Authentication.

So...

  1. Is there a way to differentiate between Basic Auth and Integrated Windows Auth when viewing a web-page prompt, and...

  2. Is it possible to encrypt the communication between computer and server during authentication so that the text being sent is encrypted (without a JS solution)?

+2  A: 

Both Basic and Windows Integrated authentication send the credentials unencrypted over the wire. If the popup login box has the name of the browser in it, and looks like a standard window, it's Basic or Integrated. If the username/password used to gain access is the same as the user's domain account, it's Windows Integrated. You can confirm either by sniffing the HTTP transmission with Fiddler.

There is no good, practical way to encrypt those credentials in either case without SSL. Here is a good article on why custom security methods are a bad idea, and SSL is the way to go.

Dave Swersky  2010-06-18 19:30:17
Thank you, Dave!
BrendonKoz  2010-06-18 20:21:56
+2  A: 

You could also use HTTP Digest authentication, which will encrypt the authentication in the HTTP header (even without SSL). This will show a dialog box similar to the one you get with HTTP Basic authentication. There are a couple of downsides:

  • Most browsers use the same dialog box for Basic and Digest authentication, so as a user, you don't really know which one it's using.
  • Only the authentication is encrypted, a Man-In-The-Middle who could intercept and alter the exchange could replace the content of the requests using those credentials.

For these reasons, SSL is better (as suggested before).

Bruno  2010-06-21 23:21:21
Thank you, Bruno! As I was looking for a completely secure solution, that wouldn't work, but I most definitely appreciate the extra information and will pass it on. Thanks again!
BrendonKoz  2010-07-07 14:35:45

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.