David McCabe wrote:
> Yes, it is off-topic, but I am replying anyway, because you are slightly wrong. :)
>
> If the first connection to a web site causes the authentication to be activated, the
> password is _NOT_ encrypted. A successfull connection has to be established with a
> secure web site before the encryption is turned on. After the first connection, every
> other connection is then encrypted. The best way to ensure the password is encrypted
> is to have one unprotected page to go to, with links to the protected parts. Client
> connects to that page, encryption is on. Click on a link to a protected area,
> authentication goes on, but everything is now encrypted, including username/password
> given for authentication.
Do you have some documentation on that? I say you are smoking crack.
I refer you to these:
[1] http://home.netscape.com/eng/ssl3/draft302.txt
[2] http://www.modssl.org/docs/2.5/ssl_intro.html#figure1
Specifically, from 1:
The SSL Record Protocol is used for encapsulation
of various higher level protocols. One such encapsulated protocol,
the SSL Handshake Protocol, allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before the application protocol transmits or
receives its first byte of data.
SSL traffic is encrypted before the first HTTP byte goes over the wire.
-jwb
