25 Feb
2010
25 Feb
'10
7:21 p.m.
Hi everyone,
I was wondering how the standard authentication handles user
passwords. Especially I would like to know whether those passwords get
sent from the client to the server in plaintext or whether they get
encrypted.
Or in other words is it safe to use a non-encrypted http connection or
should I use to a SSL https connection to prevent password sniffing.
Thanks for your help,
--Alaina
25 Feb
25 Feb
7:36 p.m.
Hi Alaina,
On Thu, Feb 25, 2010 at 7:21 PM, Alaina <xwiki(a)ursus.otherinbox.com> wrote:
Hi everyone,
I was wondering how the standard authentication handles user
passwords. Especially I would like to know whether those passwords get
sent from the client to the server in plaintext or whether they get
encrypted.
Or in other words is it safe to use a non-encrypted http connection or
should I use to a SSL https connection to prevent password sniffing.
I think HTTPS is safer. Passwords are stored encrypted on the DB but AFAIK
if you're using HTTP they're going to be sent plaintext to the wiki, thus
allowing for sniffing during the transfer. I might be wrong though ;-)
HTTPS is safer as a general rule anyway.
Guillaume
Thanks for your help,
--Alaina
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Guillaume Lerouge
Product Manager - XWiki SAS
Skype: wikibc
Twitter: glerouge
http://guillaumelerouge.com/
9:27 p.m.
On 02/25/2010 07:36 PM, Guillaume Lerouge wrote:
Hi Alaina,
On Thu, Feb 25, 2010 at 7:21 PM, Alaina<xwiki(a)ursus.otherinbox.com> wrote:
Guillaume is correct, but this applies only to the default cookie-based
authentication.
Hi everyone,
I was wondering how the standard authentication handles user
passwords. Especially I would like to know whether those passwords get
sent from the client to the server in plaintext or whether they get
encrypted.
Or in other words is it safe to use a non-encrypted http connection or
should I use to a SSL https connection to prevent password sniffing.
I think HTTPS is safer. Passwords are stored encrypted on the DB but AFAIK
if you're using HTTP they're going to be sent plaintext to the wiki, thus
allowing for sniffing during the transfer. I might be wrong though ;-) HTTPS is safer as a general rule anyway.
To reduce the need for encryption, you can just setup the httpd frontend
to automatically redirect from HTTP to HTTPS for login URLs, and back to
HTTP for all the other URLs.
Guillaume
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
26 Feb
26 Feb
12:08 a.m.
Hi Sergiu,
On Thu, Feb 25, 2010 at 9:27 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
On 02/25/2010 07:36 PM, Guillaume Lerouge wrote:
AFAIK
See, sometimes I'm even right when it comes to software ;-)
Guillaume
Hi Alaina,
On Thu, Feb 25, 2010 at 7:21 PM, Alaina<xwiki(a)ursus.otherinbox.com>
wrote:
Hi everyone,
I was wondering how the standard authentication handles user
passwords. Especially I would like to know whether those passwords get
sent from the client to the server in plaintext or whether they get
encrypted.
Or in other words is it safe to use a non-encrypted http connection or
should I use to a SSL https connection to prevent password sniffing.
I think HTTPS is safer. Passwords are stored encrypted on the DB but if you're using HTTP they're going to be
sent plaintext to the wiki, thus
allowing for sniffing during the transfer. I might be wrong though ;-)
Guillaume is correct, but this applies only to the default cookie-based
authentication.
HTTPS is safer as a general rule anyway.
To reduce the need for encryption, you can just setup the httpd frontend
to automatically redirect from HTTP to HTTPS for login URLs, and back to
HTTP for all the other URLs.
--
Guillaume Lerouge
Product Manager - XWiki SAS
Skype: wikibc
Twitter: glerouge
http://guillaumelerouge.com/
Guillaume
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
5371
days inactive
5371
days old
3 comments
3 participants
participants (3)
-
Alaina -
Guillaume Lerouge -
Sergiu Dumitriu