264

I have a question about HTTPS and HTTP Authentication credentials.

Suppose I secure a URL with HTTP Authentication:

<Directory /var/www/webcallback>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/passwd/passwords
Require user gooduser
</Directory>

I then access that URL from a remote system via HTTPS, passing the credentials in the URL:

https://gooduser:secretpassword@www.example.com/webcallback?foo=bar

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs? I'm having a hard time locating a credible source with this information.

Ripon Al Wasim
  • 36,924
  • 42
  • 155
  • 176
rcourtna
  • 4,589
  • 5
  • 26
  • 27
  • 1
    Related: [Username and password in https url](http://stackoverflow.com/questions/4980912/username-and-password-in-https-url) – Hawkeye Parker Feb 04 '15 at 02:25
  • Very old question but nevertheless: this approach has been deprecated by https://www.ietf.org/rfc/rfc3986.txt: _"Use of the format "user:password" in the userinfo field is deprecated."_ – Madbreaks Feb 13 '19 at 20:14

3 Answers3

245

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs

Yes, yes yes.

The entire communication (save for the DNS lookup if the IP for the hostname isn't already cached) is encrypted when SSL is in use.

Ripon Al Wasim
  • 36,924
  • 42
  • 155
  • 176
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 26
    +1. GETs and POSTs, including the url, are encrypted. I'll only add - tools like firebug and Tamper data are able to show the un-encrypted results *only because* they are a part of the browser and hence are able to intercept the request before it is encrypted. Once sent over the wire, everything is encrypted. – Sripathi Krishnan Apr 27 '10 at 05:40
  • 21
    To be clear, everything but the domain is encrypted. If anyone stumbles across this and would like a more detailed answer, see http://answers.google.com/answers/threadview/id/758002.html – rcourtna Apr 29 '10 at 02:03
  • 7
    For sake of completeness, "[Internet Explorer does not support user names and passwords in Web site addresses (HTTP or HTTPS URLs)](http://support.microsoft.com/kb/834489/en-us)" Looks like only Internet Explorer versions 3.0 to 6.0 support the following syntax for HTTP or HTTPS URLs: http(s)://username:password@server/resource.ext Note: This change in the default behavior does not affect other protocols. For example, you can still include user information in an FTP URL after you install the 832894 security update. – Luke Feb 21 '13 at 18:30
29

Yes, it will be encrypted.

You'll understand it if you simply check what happens behind the scenes.

  1. The browser or application will first break down the URL and try to get the IP of the host using a DNS Query. ie: A DNS request will be made to find the IP address of the domain (www.example.com). Please note that no other information will be sent via this request.
  2. The browser or application will initiate a SSL connection with the IP address received from the DNS request. Certificates will be exchanged and this happens at the transport level. No application level information will be transferred at this point. Remember that the Basic authentication is part of HTTP and HTTP is an application level protocol. Not a transport layer task.
  3. After establishing the SSL connection, now the necessary data will be passed to the server. ie: The path or the URL, the parameters and basic authentication username and password.
Ruchira Randana
  • 4,021
  • 1
  • 27
  • 24
-3

Not necessarily true. It will be encrypted on the wire however it still lands in the logs plain text

Brandon
  • 193
  • 1
  • 20
    What Web server logs the username and passwords from requests? That would be one hell of an insecure web server. – Andrew Barber Jul 27 '12 at 02:09
  • 1
    Yeah this is just not true. It's probably possible to instruct apache to log this information, but it is certainly not doing so by default. – DougW Aug 13 '12 at 23:14
  • 28
    @Brandon was probably thinking "in URL" meant in the query string (eg, ?user=bob&pw=123hackmeplz) . That could end up in the server logs. – Mike Graf Jun 24 '13 at 22:49
  • 5
    Related: "When you call that URL on the client with e.g. curl, the username and password will be clearly visible on the process list and might turn up in the bash history file." - http://stackoverflow.com/a/4981309 – Hawkeye Parker Feb 04 '15 at 02:21
  • This answer is a very important tip for the op. You should never pass credentials in URL because the credentials might end up in some logs. So even if it's not an answer to the original question I'm giving an UPVOTE. – Szymon Wygnański May 27 '19 at 12:57