Jelmer Jellema wrote: > By the way. I read something about the auth part of the https connection > starting *before* the ssl-encryption was established, thush sending the > apache auth password unencrypted, only to start encrypting right after? > Maybe I misunderstood? (hope so).
Cobalt assures me the encrypted session is started before the password is sent; but the browser doesn't update until after the login window goes away. This looks to be true but I haven't done anything to "prove" it. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
