Is the following .htpasswd .htaccess login SSL protected?

Question

I have a directory that I have protected using .htpasswd/.htaccess HTTP authentication. In the .htaccess file for the directory I have this:

SSLRequireSSL

<Files .htaccess>
order allow,deny
deny from all
</Files>

AuthUserFile /var/www/xyz/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user

When I go to a page in the protected directory I am forced to https by the SSLRequireSSL directive which is as I hoped. This means that at the point that I am challenged for login credentials the browser (Firefox) address always starts with HTTPS://. This is great but the SSL indicating padlock symbol is not present until after I enter the credentials and enter the page in the protected directory.

I am worried that this could mean that the password I enter is somehow being sent before the SSL connection is formed and is therefore passed in plain text rather than SSL encoded.

Is this a valid concern? Thanks.

score 2 · Accepted Answer · answered Aug 01 '12 at 05:13

No, all should be SSL encrypted. If you were using an untrusted certificate, you'd be able to observe that the certificate trust warning appears before the login prompt.

The initial 401 response that prompts for your credentials would be a 403 if it were on an unencrypted channel. Because the SSLRequireSSL is in place, you're definitely safe.

Is the following .htpasswd .htaccess login SSL protected?

1 Answers1