You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by SSleeper <SS...@iProsperOnline.com> on 2002/02/19 18:08:25 UTC
How Secure is .htaccess?
How secure is .htaccess, can I trust it with private info?
Thanks
Vic
Re: How Secure is .htaccess?
Posted by SSleeper <SS...@iProsperOnline.com>.
Use basic SSL, then for login, use .htaccess, i.e... place an .htaccess file
in the ssl folder, or should I use some progmatic form of authorization, as
ssl in itself, won't ask for a user id and password.
Correct, or I'm I off base.
Thanks
Vic
----- Original Message -----
From: "Joshua Slive" <jo...@slive.ca>
To: <us...@httpd.apache.org>; "SSleeper" <SS...@iProsperOnline.com>
Sent: Tuesday, February 19, 2002 12:50 PM
Subject: RE: How Secure is .htaccess?
>
> From: SSleeper [mailto:SSleeper@iProsperOnline.com]
>
> > How secure is .htaccess, can I trust it with private info?
>
> [Please post in plain text]
>
> That question is ambiguous. For one thing, .htaccess is just a
> configuration file, like httpd.conf. You can put most Apache directives
in
> .htaccess. For another thing, what does "private info" mean, and what
does
> "trust" mean? You need to ask a much more specific question.
>
> Taking a wild guess: If you are asking whether HTTP basic authentication
is
> secure from sniffing, the answer is "no". The password is sent
unencrypted
> on each request and can be easily read off the wire. If you need secure,
> you should use SSL.
>
> Joshua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: How Secure is .htaccess?
Posted by Joshua Slive <jo...@slive.ca>.
From: SSleeper [mailto:SSleeper@iProsperOnline.com]
> How secure is .htaccess, can I trust it with private info?
[Please post in plain text]
That question is ambiguous. For one thing, .htaccess is just a
configuration file, like httpd.conf. You can put most Apache directives in
.htaccess. For another thing, what does "private info" mean, and what does
"trust" mean? You need to ask a much more specific question.
Taking a wild guess: If you are asking whether HTTP basic authentication is
secure from sniffing, the answer is "no". The password is sent unencrypted
on each request and can be easily read off the wire. If you need secure,
you should use SSL.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org