| Davide Bianchi 2006-05-25, 1:25 am |
| On 2006-05-24, deciacco <eugenio@iatmgu.com> wrote:
> If one uses .htaccess files with AuthType Basic and the virtual server
> uses SSL, are the passwords sent encrypted?
Yes, the whole request is encrypted, hence the username and the password.
> Is this a good enough security mechanism?
Define 'good enough' for you first. If the client machine harbour a
troyan or a keylogger, it doesn't really matter if the password is sent
encrypted or in the clear.
> Is there a better way?
It depends what you need/want to do. For most down-to-earth application
is enough, but only as long as you trust your users. A statistic I saw
sometime ago showed that most of the time the problem isn't the fact that
the password is crypted or not, is the fact that the password is simply
so stupid that everbody can guess it.
Note: this has really nothing to do with apache or configuration, you
should ask on something like comp.os.linux.security or similar.
Davide
--
I'm fairly sure that if they took all the porn off the Net, there'd only be
one website left, and it would be called "bring-back-the-porn dot com".
-- Perry Cox, _Scrubs_
|