In article <[EMAIL PROTECTED]> you wrote:
> Can someone explain to me if, and how much, SSL protects normal
> username/password authentication for accessing web pages. I think the
> password is sent encrypted over the wire, but are there any weaknesses I
> might not be aware off.
>
> P.S. We will have a token-based authentication scheme very shortly, I
> just want know how secure username/passwd is combined with SSL.
Yes, the passwort is part of the HTTP headers and this stuff is sent over the
wire after the SSL handshake happended and established the encrypted
communication. So, as long as you don't use a Null-cipher, it's protected
reasonably. At least the HTTP Basic Auth username/password is treated the same
as any other application data by SSL.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
