cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Digest vs. Basic Authentication: Password sent in clear?

From: Jerry Krinock <jerry_at_ieee.org>
Date: Sat, 17 Mar 2007 19:01:24 -0700

on 07/03/17 13:29, Jerry Krinock at jerry_at_ieee.org wrote:

Hi,

I understand that Digest Authentication is preferred over Basic
Authentication since the latter sends passwords in the cleartext. I find
that I am able to get data from a server such as del.icio.us via https with
either method, but when I sniff network traffic using tcpdump, I do not see
my password in either case. I expect to see my password when using Basic
Authentication. Why might I not see my password? Maybe my curl invocations
are wrong, or I don't know how to interpret tcpflow?

(My system is Mac OS 10.4.8, and it is behind an Apple Airport router
connected to a residential DSL line.)

Jerry Krinock

***** Invocation I used for Basic Authentication:
curl -u jerrykrinock:port7yuke -basic https://api.del.icio.us/v1/posts/all

***** Invocation I used for Digest Authentication
curl -u jerrykrinock:port7yuke -digest https://api.del.icio.us/v1/posts/all

***** tcpflow output during Basic Authentication.
      If you search that file for the password "port7yuke",
      you'll see that it is not found.
           010.000.001.205 is my computer's static IP address
           206.190.056.028 is Yahoo (del.icio.us)

010.000.001.205.50558-206.190.056.028.00443: .d....K......9..8..5........
.....3..2../.......................@.....................G...'Qrg.F...!."
.....0N1.0...U....US1.0...U.......0...0..V.........,0&..E..z....2..b{I9.
090421192529Z0x1.0...U....US1.0...U...tificate Authority0..
California1.0...U....Santa Clara1.0...U.
.........0.........,....Yahoo1.0...U....api.del.icio.us0..0
..:....e........Jn...v5.p...B?.;.}X..+.......&...=q.H..,H..k.u...K.........0
..0...U...........0...U......|...e....]B....3=c3.0:..U...3010.........E.....
..&k....6...B.4r.*.G..!@.%.ca.crl0...U.#..0...H.h.+....G.#
.O3....0...U.%..0...+.........+.......0
...Ew..L.SR..5...w...&.n.M3`T-....rX..A.....d..}1.....gz...U..
&a..=..L.$s}Z...{jt..}x..p..W...........
}..u...u..0.PS.6 ,p....-....."`......0..U..r.2I.}poK...j.e._.!.Q..|l7.....
..i#.
206.190.056.028.00443-010.000.001.205.50558:
..........0ag4.UY...]f....o...f....M./.... .<.,.....8+..P..
010.000.001.205.50558-206.190.056.028.00443:
......%..v+O3S....Up..O.pU...p=............6..&D..:].........4i.\%.e.../.&..
w.....C.0...[^..~.5K..31.S4oB'1.._......3.
.{..#.......LF.KR...n.....\.....B/x............\.Q...2..2
......>..M`..J.?..#.....".1.+k.U..........k...w.."..(k..
...Il..8.....
206.190.056.028.00443-010.000.001.205.50558:
..........p...X..!...5....h.H^..ODEM4.2..vxM9..X..P....._at_C..x..0.<...b..D:.|
m.d.....@..
..1a..pen.G.....v.a..."..j...d,.Z.k...g...$....)X...=H....md..Y.....m...Ji..
..A(.hy.2....{...$..z}F..t...D.9(....}....VO....l..UX..o..d....4.....n.y[../
.UOa...&r.....H.e.o....w1.`.i<.J................^..>6..`...R.g.5...b...A....
o&j...*V.F.y.."..j&.$@p...,...3.,
.]...yR.....=....C.&.*...L....2.CFsr.<AL..(n.z.hb..%/...~.....*....`...;....
......aT]3.............#.iA..hz......'.`....3x.+....|gL'......J61X.y.?}..Gw2
.....n3@'..g.E...Lg.4....z>.....Y..u........~.[.....u......2
&...P9+.o).M3...D.w....=wr.#Z...K.k....m..0...b.i...E5.r.xl._...]6?...A.....
....i&.9..pL...
206.190.056.028.00443-010.000.001.205.50558: ....
.......pIh..*.=...8...a/^w......
010.000.001.205.50558-206.190.056.028.00443: ....
{.a..S.4....l$../.`;.;.mI.....y.
206.190.056.028.00443-010.000.001.205.50558: ....
JP..}f...!_.=.(....b..6..q...,..
Received on 2007-03-18