I am authenticating clients of an apache2 server using AuthType Basic over SSL secured connections. I imagine these are secure, as the usernames and passwords are encrypted before they are sent to the server.
Is that right?
-
Yes, that's pretty much secure (notwithstanding the recent vulnerability found in TLS during renegotiation). The vast majority of sites use exactly that.
For additional security, consider client side certificates, two-factor authentication, etc.
From Alnitak -
That is correct. In fact, SSL is the easiest method to secure that kind of data. The security of SSL changes over time as cyphers and hash methods succumb to better attacks and faster hardware, but it is still very secure.
chernevik : Thanks. A reference to the weakness of AuthType Basic in the Apache docs made me worry I'd missed something.From sysadmin1138 -
SSL was designed specifically to secure that kind of connection. you're still vulnerable to brute-force attacks if you use weak passwords and dont monitor your Apache logs.
From neoice
0 comments:
Post a Comment