2

I have an Axis PTZ camera I want to command using CURL.

I know this command line works :

curl http://LOGIN:PASSWORD@IP/axis-cgi/com/ptz.cgi?rpan=10

But, as you can see, le login/password are clearly written in the URL.

So I tried in HTTPS with :

curl -k https://LOGIN:PASSWORD@IP/axis-cgi/com/ptz.cgi?rpan=10

... where the -k ignore certificate warnings.

It works too, but I want to be sure that my login/password are encrypted using this way.

Anyone can confirm ? (or give a way to command this camera safely)

Edit : well, I just edit my post to "bump"... :-°

0101ivier
  • 21
  • 1
  • 5
  • I'm wondering the same thing. I believe URL parameters are encrypted with https but I can't find anything about credentials in the URL – Brad Bamford Oct 05 '15 at 16:10

1 Answers1

1

Yes, your login and password are encrypted when using HTTPS - even if they are transmitted as GET data embedded directly in the URL. See this question for more info.

However, by specifying -k as an option to curl you are essentially disabling its certificate validation features. This makes it prone to man-in-the-middle-attacks as described in this answer. A successful attack of this kind would render your entire connection (including your credentials) decipherable.

Community
  • 1
  • 1
morido
  • 1,027
  • 7
  • 24
  • 2
    Bother to explain the downvote? - I'm always eager to learn, should there be anything wrong with the above... – morido Jan 16 '16 at 09:54