我有一个关于HTTPS和HTTP身份验证凭证的问题。

假设我用HTTP认证保护一个URL:

<Directory /var/www/webcallback>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/passwd/passwords
Require user gooduser
</Directory>

然后,我通过HTTPS从远程系统访问该URL,在URL中传递凭据:

https://gooduser:secretpassword@www.example.com/webcallback?foo=bar

用户名和密码是否会自动SSL加密?get和post也是如此吗?我很难找到一个可靠的消息来源。


用户名和密码是否会自动SSL加密?get和post也是如此吗

是的,是的,是的。

当使用SSL时,整个通信(如果主机名的IP尚未缓存,则仅用于DNS查找)都是加密的。


不一定是真的。它将被加密,但它仍然在日志纯文本


是的,它将被加密。

如果你检查一下幕后发生了什么,你就会明白这一点。

The browser or application will first break down the URL and try to get the IP of the host using a DNS Query. ie: A DNS request will be made to find the IP address of the domain (www.example.com). Please note that no other information will be sent via this request. The browser or application will initiate a SSL connection with the IP address received from the DNS request. Certificates will be exchanged and this happens at the transport level. No application level information will be transferred at this point. Remember that the Basic authentication is part of HTTP and HTTP is an application level protocol. Not a transport layer task. After establishing the SSL connection, now the necessary data will be passed to the server. ie: The path or the URL, the parameters and basic authentication username and password.