cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: newbie help: https and -u user:password authentication

From: Ralph Mitchell <rmitchell_at_eds.com>
Date: Fri, 27 Jun 2003 23:55:20 -0500

I looked at this a couple of days ago... When hitting a secure server,
the exchange goes like this:

    client: sends SYN packet
    server: replies with SYN/ACK packet
    client: send SSL Client Hello packet

after that, there's no clear text. You don't even see what url is
requested, let alone cookies, passwords and other client/server
chitchat. So, hit the server any way you like, it shouldn't make any
difference.

That was with Apache/mod_ssl, by the way, but I don't imagine IIS would
do it any other way.

Ralph Mitchell

Wesley Furgiuele wrote:

> I have been charged with taking over the maintenance of someone else's
> process, and I want to make sure I understand what's going on. The
> part of the process involving cURL is something I have no familiarity
> with. I've been reading the documentation and digging through the
> archives, but my question might be a bit too basic.
>
> So, can someone explain to me, or reassure me, that the user:password
> values in the following command are encrypted when they are sent?
>
> curl -u myname:mypass -D cookies1 https://securesite.com
> curl -b cookies1 -D cookies2 https://securesite.com
> curl -O -b cookies2 https://securesite.com/myfile.zip
>
> I am particular concerned with the first line. I just want to make
> sure that, regardless of the fact that the username and password are
> stored as clear text in the script on the machine, they are encrypted
> before being sent by curl to the target site.
>
> I am only familiar with the web interface for the target site, but I
> would think that, aside from the above method of authenticating, it
> should also be possible to authenticate by posting the form values
> instead. Is there a difference in the security of the above code
> versus doing something like the following?
>
> curl -D cookie1 https://securesite.com
> curl -b cookie1 -d "user=myname&pass=mypass&submit=Log%20In" -D
> cookie2 https://securesite.com
> curl -O -b cookie2 https://securesite.com/myfile.zip
>
> Thanks in advance for any assistance!

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
Received on 2003-06-28

This message: [ Message body ]
Next message: SourceForge.net: "[ curl-Bugs-762723 ] curl-7.10.5-1 won't build with fink under MacOS X 10.2.6"
Previous message: Wesley Furgiuele: "newbie help: https and -u user:password authentication"
In reply to: Wesley Furgiuele: "newbie help: https and -u user:password authentication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]