HTTP Basic Authentication credentials passed in URL and encryption

258
votes

I have a question about HTTPS and HTTP Authentication credentials.

Suppose I secure a URL with HTTP Authentication:

<Directory /var/www/webcallback>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/passwd/passwords
Require user gooduser
</Directory>

I then access that URL from a remote system via HTTPS, passing the credentials in the URL:

https://gooduser:[email protected]/webcallback?foo=bar

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs? I'm having a hard time locating a credible source with this information.

3
httpsbasic-authentication
Related: Username and password in https urlHawkeye Parker
Very old question but nevertheless: this approach has been deprecated by ietf.org/rfc/rfc3986.txt: "Use of the format "user:password" in the userinfo field is deprecated."Madbreaks

3 Answers

243
votes

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs

Yes, yes yes.

The entire communication (save for the DNS lookup if the IP for the hostname isn't already cached) is encrypted when SSL is in use.

27
votes

Yes, it will be encrypted.

You'll understand it if you simply check what happens behind the scenes.

  1. The browser or application will first break down the URL and try to get the IP of the host using a DNS Query. ie: A DNS request will be made to find the IP address of the domain (www.example.com). Please note that no other information will be sent via this request.
  2. The browser or application will initiate a SSL connection with the IP address received from the DNS request. Certificates will be exchanged and this happens at the transport level. No application level information will be transferred at this point. Remember that the Basic authentication is part of HTTP and HTTP is an application level protocol. Not a transport layer task.
  3. After establishing the SSL connection, now the necessary data will be passed to the server. ie: The path or the URL, the parameters and basic authentication username and password.
-4
votes

Not necessarily true. It will be encrypted on the wire however it still lands in the logs plain text