I have empirical evidence confirming what Daniel said about SSL encryption.

I just tried fetching a file from one of my own servers using both http
and https, while watching the transactions with ethereal.

With the non-secure link, there's an exchange of SYN & ACK packets,
followed by the GET, in which I can see the minimally-encoded
userid/password.

With the secure link, the initial SYN/ACK sequence is immediately
followed by an "SSLv2 Client Hello" packet, then key exchange packets.
 So, the SSL handshake takes place immediately after SYN/ACK, and
everything else is encrypted. I don't see anything like the
minimally-encoded userid/password.

Ralph Mitchell

Carter Harris wrote:

>2. I also used cURL to connect to an HTTPS server and download a file or
>two. The HTTPS server required a uid and pwd in encrypted using Base64
>Encoding. I accomplished this by using the coded text in the -u
>parameter and it worked just fine.
>
>I pretty sure (correct me if I'm wrong) that uid and pwd are always sent
>clear-text since the logon takes place before the SSL handshake takes
>place. Is there some sort of standard encryption that can be used for
>uid and pwd?
>
>Daniel: I'm really enjoying using your program; it's a great piece of
>code. It won't be retirement-time but I will hit you with paypal real
>soon. Thanks again. -Carter
>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: INetU
>Attention Web Developers & Consultants: Become An INetU Hosting Partner.
>Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
>INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
>
>

-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Received on 2003-06-24