|
Home > Archive > IIS Server Security > July 2007 > Is it safe using Basic Authentication when using HTTPS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Is it safe using Basic Authentication when using HTTPS
|
|
| Paw Pedersen 2007-07-11, 1:21 pm |
| As far as I can find out, the SSL handshake is being done before the basic
authentication credentials is passed through the network, so it will be
encrypted, and not possible to sniff. Can anybody please confirm that?
Best regards
Paw Pedersen
| |
| Ken Schaefer 2007-07-12, 1:22 am |
| Your understanding is correct - traffic is encrypted prior to any
transmission of credentials in the HTTP entity.
Depending on the key strength of your asymmetric and then session keys, it
may be possible to brute force the encrypted packets after they have been
sniffed.
Cheers
Ken
"Paw Pedersen" <newsATpaws.dk> wrote in message
news:uH0Lrl9wHHA.4736@TK2MSFTNGP04.phx.gbl...
> As far as I can find out, the SSL handshake is being done before the basic
> authentication credentials is passed through the network, so it will be
> encrypted, and not possible to sniff. Can anybody please confirm that?
>
> Best regards
> Paw Pedersen
>
|
|
|
|
|