How Is My Password Transferred from My Browser to the Web Server Securely?

Question

How is the password I enter in, say a Gmail login form, transferred to the web server securely?

• What does the browser or any client application do?
• What does the web server do?

Answer 1

This depends entirely on whether it's an HTTPS or HTTP request. In general, HTTP authentication requests are sent in what's called "plaintext equivalent". It's Encoded in Base-64, which is easily reversed so it's basically plaintext - meaning it's not secure.

Some browsers, like Internet Explorer have some extensions to allow "secure" passwords to be sent to servers that understand, and can decode them. This generally means IIS running in a domain environment. I put secure in quotes because, as most things Microsoft does, the amount of true security is often up for discussion.

If you're using HTTPS, the password is still sent the same way, but because it's passing over a secure transport it doesn't matter if the password is cleartext or not, since the transport is encoding it.

Answer 2

By using SSL.

EDIT
A nice resource of information about security and encryption is the Security Now! podcast by Steve Gibson and Leo Laporte. Steve can explain very thouroughly how security works, so go check it out!

The latest episode (#183) is about Modes of Encryption (link to shownotes/podcast)

Answer 3

In the case of GMail, or any other form based authentication, the protection comes from the transport layer. If you are sending the form via HTTP, there is basically no protection. If you send the form using SSL (which you should be using) the protection comes from SSL. You can read more about SSL at http://en.wikipedia.org/wiki/Transport_Layer_Security