Basic Auth exposed to ISP/DNS?

Question

Would someone using basic authentication in a URL such as

https://username:password@example.com

have their credentials be visible to their ISP or DNS?

That particular question may not be exactly answered on this site, but there are many very similar questions with answers that also answer this. In short with SSL the full URL (including HTTP basic authentication) is encrypted. The only thing visible to the ISP is the IP address of the destination server (and some other meta data that would also reveal the destination server). — Conor Mancone, Feb 04 '20 at 19:49

score 2 · Accepted Answer · answered Feb 04 '20 at 20:14

2

The credentials are not part of the DNS query so they are not visible there. The credentials are included in the encrypted part of HTTPS so that the ISP cannot see these either.

answered Feb 04 '20 at 20:14

Steffen Ullrich

184,332
29
363
424

Basic Auth exposed to ISP/DNS?

1 Answers1