When accessing a page via https protocol and SSL that requires .htaccess authentication, is the id/password transmitted via https or http? i.e., is the authentication secure?

I'm trying to determine if the authentication takes place before or after the secure socket is established.

------------------
Rich

"What time is it in _____?"
www.timezoneconverter.com (http://www.timezoneconverter.com)


[This message has been edited by Rich (edited 01-21-99).]

Interesting problem. Maybe we need to write a small perl script to decrypt the headers without the certificate. Maybe NSA could help http://www.aota.net/ubb/smile.gif

Greetings from someone who suddenly feels the need for decryptable 1-bit SSL
[nbsp][nbsp]Meikel Weber
http://www.meikel.com

All of the headers are encapsulated within the SSL packet...

That's why it's next to impossible for me to offer SSL at the moment, because the 'Host:' header is encrypted, and Apache needs that information in order to direct to correct domain for decryption...

It's a classic 'chicken or the egg' syndrome... SSL was built for any protocol, and not just HTTP - so it did not take into account HTTP/1.1 needing the 'Host:' header...

Final Note: The authentication happens after the secure socket is established...

--
Terra
--My money is on the Chicken--
FutureQuest.net