# Apache Security



## SuperMiguel (Jun 11, 2009)

When you do this: http://httpd.apache.org/docs/2.0/howto/auth.html
how secure are your folder? when u put the password on does it travel in open text??


----------



## DutchDaemon (Jun 11, 2009)

Yes, username and password get sent over the wire in plaintext format. Just as with ftp, pop3, imap, etcetera. That's why we have https, sftp, imaps, pop3s, etcetera(s).


----------



## SuperMiguel (Jun 11, 2009)

so u think im better off using https


----------



## vivek (Jun 11, 2009)

Digest authentication is more secure than Basic authentication, but only works with supporting browsers. However, combine mod_auth_digest with SSL and you should be fine.


----------



## SuperMiguel (Jun 11, 2009)

and i guess i can use sharkwire to see if the password are being transfer in plain text


----------



## vivek (Jun 11, 2009)

SuperMiguel said:
			
		

> and i guess i can use sharkwire to see if the password are being transfer in plain text



You don't understand digest authentication, do you? Let me put it in simple English - 



> Digest authentication is intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password in plaintext over the network. Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis.



Hope this helps


----------



## phospher (Jun 29, 2009)

SuperMiguel said:
			
		

> and i guess i can use sharkwire to see if the password are being transfer in plain text



and it's wireshark but most of us here prefer tcpdump


----------



## dennylin93 (Jun 30, 2009)

net/tshark will also work nicely (WireShark without X11). There's also security/dsniff as well.


----------

