Thus said Kevin Martin on Sat, 01 Feb 2014 09:14:20 +0000: > How does fossil authenticate with a server, does it send the password > plaintext? HTTP Basic Auth does!
It's not encrypted, no, only base64 encoded. > I'm not sure whether this should just happen by default unless the > connection is HTTPS as defaulting to sending plaintext auth data over > HTTP seems like a bad idea. This is why I asked if it was even a good idea to be done. Using Basic Authorization basically means transmitting a password unencrypted if the connection is not wrapped in SSL. So perhaps if Fossil is being used with HTTP it should prompt before automatically sending the Authorization? Should this decision be stored? > Also I never knew about prefixing the password with #, for me > documenting that is enough. I'm happy now using it as is. I think a command line option would be more appropriate (and self-documenting) because it has less surprise factor. If I don't know about the # option, and I set my password to ``#pass'', I will be unable to clone with my credentials because Fossil will strip it off and send ``pass'' without the #. My original attempt was simply to add an option for cloning which allowed the user to turn on the basic auth (as opposed to the use of #): fossil clone --httpauth http://user@host/project Andy -- TAI64 timestamp: 4000000052ed2937 _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
