diff --git a/bin/swift-auth-create-account b/bin/swift-auth-create-account
index ccaf93cf5f..cdc085d754 100755
--- a/bin/swift-auth-create-account
+++ b/bin/swift-auth-create-account
@@ -36,8 +36,10 @@ if __name__ == '__main__':
     conf = dict(c.items('auth-server'))
     host = conf.get('bind_ip', '127.0.0.1')
     port = int(conf.get('bind_port', 11000))
+    ssl = conf.get('cert_file') is not None
     path = '/account/%s/%s' % (new_account, new_user)
-    conn = http_connect(host, port, 'PUT', path, {'x-auth-key':new_password})
+    conn = http_connect(host, port, 'PUT', path, {'x-auth-key':new_password},
+                        ssl=ssl)
     resp = conn.getresponse()
     if resp.status == 204:
         print resp.getheader('x-storage-url')
diff --git a/bin/swift-auth-recreate-accounts b/bin/swift-auth-recreate-accounts
index 51212b4f4f..3bdd1e43ee 100755
--- a/bin/swift-auth-recreate-accounts
+++ b/bin/swift-auth-recreate-accounts
@@ -31,8 +31,9 @@ if __name__ == '__main__':
     conf = dict(c.items('auth-server'))
     host = conf.get('bind_ip', '127.0.0.1')
     port = int(conf.get('bind_port', 11000))
+    ssl = conf.get('cert_file') is not None
     path = '/recreate_accounts'
-    conn = http_connect(host, port, 'POST', path)
+    conn = http_connect(host, port, 'POST', path, ssl=ssl)
     resp = conn.getresponse()
     if resp.status == 200:
         print resp.read()
diff --git a/doc/source/howto_cyberduck.rst b/doc/source/howto_cyberduck.rst
new file mode 100644
index 0000000000..135272d9b4
--- /dev/null
+++ b/doc/source/howto_cyberduck.rst
@@ -0,0 +1,141 @@
+===============================
+Talking to Swift with Cyberduck
+===============================
+
+.. note::
+    Put together by Caleb Tennis, thanks Celeb!
+
+
+#.  Install Swift, or have credentials for an existing Swift installation. If
+    you plan to install Swift on your own server, follow the general guidelines
+    in the section following this one.
+
+#.  Verify you can connect using the standard Swift Tool `st` from your
+    "public" URL (yes I know this resolves privately inside EC2)::
+
+        ubuntu@domU-12-31-39-03-CD-06:/home/swift/swift/bin$ st -A https://ec2-184-72-156-130.compute-1.amazonaws.com:11000/v1.0 -U a3:b3 -K c3 stat
+           Account: 06228ccf-6d0a-4395-889e-e971e8de8781
+        Containers: 0
+           Objects: 0
+             Bytes: 0
+
+    .. note::
+
+        The Swift Tool `st` can be copied from Swift sources to most any
+        machine with Python installed. You can grab it from
+        http://bazaar.launchpad.net/%7Ehudson-openstack/swift/trunk/annotate/head%3A/bin/st
+        if you don't have the Swift code handy.
+
+#.  Download and extract the Cyberduck sources (3.5.1 as of this writing). They
+    should be available at http://trac.cyberduck.ch/
+
+#.  Edit the Cyberduck source. Look for lib/cloudfiles.properties, and edit
+    this file. Change auth_url to your public auth URL (note the https)::
+
+        auth_url=https://ec2-184-72-156-130.compute-1.amazonaws.com:11000/v1.0
+
+#.  Edit source/ch/cyberduck/core/Protocol.java. Look for the line saying
+    "storage.clouddrive.com". Just above that, change::
+
+        public boolean isHostnameConfigurable() {
+            return true;
+        }
+
+#.  In the root directory, run "make" to rebuild Cyberduck. When done, type:
+    `open build/Release/Cyberduck.app/` to start the program.
+
+#.  Go to "Open Connection", select Rackspace Cloud Files, and connect.
+
+    .. image:: howto_cyberduck_config.png
+
+#.  If you get SSL errors, make sure your auth and proxy server are both setup
+    for SSL. If you get certificate errors (specifically, 'unable to find valid
+    certification path to requested target'), you are using a self signed
+    certificate, you need to perform a few more steps:
+
+    .. note::
+
+        For some folks, just telling the OS to trust the cert works fine, for
+        others use the following steps.
+
+#.  As outlined here: http://blogs.sun.com/andreas/entry/no_more_unable_to_find,
+    download http://blogs.sun.com/andreas/resource/InstallCert.java, run "javac
+    InstallCert.java" to compile it, then run "java InstallCert
+    https://your-auth-server-url:8080". This script will pull down that
+    certificate and put it into a Java cert store, in your local directory. The
+    file is jssecacerts.
+
+#.  You need to move that file to $JAVA_HOME/jre/lib/security, so your java run
+    time picks it up.
+
+#.  Restart Cyberduck, and it should now allow you to use that certificate
+    without an error.
+
+
+---------------------------------------
+Installing Swift For Use With Cyberduck
+---------------------------------------
+
+#.  Both the proxy and auth servers will ultimately need to be running with
+    SSL. You will need a key and certificate to do this, self signed is ok (but
+    a little more work getting Cyberduck to accept it). Put these in
+    /etc/swift/cert.crt and /etc/swift/cert.key.
+
+    .. note::
+
+        Creating a self-signed cert can usually be done with::
+
+            cd /etc/swift
+            openssl req -new -x509 -nodes -out cert.crt -keyout cert.key
+
+#.  Example proxy-server config::
+
+        [proxy-server]
+        bind_port = 8080
+        user = swift
+        cert_file = /etc/swift/cert.crt
+        key_file = /etc/swift/cert.key
+
+        [auth-server]
+        ssl = true
+
+#.  Example auth-server config::
+
+        [auth-server]
+        default_cluster_url = https://ec2-184-72-156-130.compute-1.amazonaws.com:8080/v1
+        user = swift
+        cert_file = /etc/swift/cert.crt
+        key_file = /etc/swift/cert.key
+
+#.  Use swift-auth-create-account to create a new account::
+
+        ubuntu@domU-12-31-39-03-CD-06:/home/swift/swift/bin$ swift-auth-create-account a3 b3 c3
+        https://ec2-184-72-156-130.compute-1.amazonaws.com:8080/v1/06228ccf-6d0a-4395-889e-e971e8de8781
+
+    .. note::
+        It's important that the URL that is given back to you be accessible
+        publicly. This URL is tied to this account, and will be served
+        back to Cyberduck after authorization. If this URL gives back
+        something like: http://127.0.0.1/v1/... this won't work, because
+        Cyberduck will attempt to connect to 127.0.0.1.
+
+        This URL is specified in the auth-server config's
+        default_cluster_url. However, once you have created an
+        account/user, this URL is fixed and won't change even if you change
+        that configuration item. You will have to use sqlite to manually
+        edit the auth.db in order to change it (limitation of using the
+        development auth server, but perhaps someone will patch in this
+        ability someday).
+
+#.  Verify you can connect using the standard Swift Tool `st`::
+
+        ubuntu@domU-12-31-39-03-CD-06:/home/swift/swift/bin$ st -A https://127.0.0.1:11000/v1.0 -U a3:b3 -K c3 stat
+           Account: 06228ccf-6d0a-4395-889e-e971e8de8781
+        Containers: 0
+           Objects: 0
+             Bytes: 0
+
+.. note::
+
+    Please let me know if you find any changes that need to be made: ctennis on
+    IRC
diff --git a/doc/source/howto_cyberduck_config.png b/doc/source/howto_cyberduck_config.png
new file mode 100644
index 0000000000..1612bbe0e6
Binary files /dev/null and b/doc/source/howto_cyberduck_config.png differ
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 60d26dbe32..3461a9083c 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -41,6 +41,13 @@ Deployment:
     deployment_guide
     admin_guide
 
+End User Guides:
+
+.. toctree::
+    :maxdepth: 1
+
+    howto_cyberduck
+
 Source:
 
 .. toctree::
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 33d612c724..f548852722 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -35,4 +35,5 @@
 # class = swift.common.auth.DevAuthMiddleware
 # ip = 127.0.0.1
 # port = 11000
+# ssl = false
 # node_timeout = 10
diff --git a/swift/common/auth.py b/swift/common/auth.py
index 6830b60ba7..5e4e7d1716 100644
--- a/swift/common/auth.py
+++ b/swift/common/auth.py
@@ -35,6 +35,8 @@ class DevAuthMiddleware(object):
         self.conf = conf
         self.auth_host = conf.get('ip', '127.0.0.1')
         self.auth_port = int(conf.get('port', 11000))
+        self.ssl = \
+            conf.get('ssl', 'false').lower() in ('true', 'on', '1', 'yes')
         self.timeout = int(conf.get('node_timeout', 10))
 
     def __call__(self, env, start_response):
@@ -78,7 +80,7 @@ class DevAuthMiddleware(object):
         try:
             with Timeout(self.timeout):
                 conn = http_connect(self.auth_host, self.auth_port, 'GET',
-                    '/token/%s/%s' % (account, token))
+                    '/token/%s/%s' % (account, token), ssl=self.ssl)
                 resp = conn.getresponse()
                 resp.read()
                 conn.close()
diff --git a/swift/common/bufferedhttp.py b/swift/common/bufferedhttp.py
index 94d1ba1073..6b308e5b01 100644
--- a/swift/common/bufferedhttp.py
+++ b/swift/common/bufferedhttp.py
@@ -30,8 +30,8 @@ from urllib import quote
 import logging
 import time
 
-from eventlet.green.httplib import HTTPConnection, HTTPResponse, _UNKNOWN, \
-            CONTINUE, HTTPMessage
+from eventlet.green.httplib import CONTINUE, HTTPConnection, HTTPMessage, \
+    HTTPResponse, HTTPSConnection, _UNKNOWN
 
 
 class BufferedHTTPResponse(HTTPResponse):
@@ -106,10 +106,11 @@ class BufferedHTTPConnection(HTTPConnection):
 
 
 def http_connect(ipaddr, port, device, partition, method, path,
-                 headers=None, query_string=None):
+                 headers=None, query_string=None, ssl=False):
     """
-    Helper function to create a HTTPConnection object that is buffered
-    for backend Swift services.
+    Helper function to create an HTTPConnection object. If ssl is set True,
+    HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection
+    will be used, which is buffered for backend Swift services.
 
     :param ipaddr: IPv4 address to connect to
     :param port: port to connect to
@@ -119,9 +120,13 @@ def http_connect(ipaddr, port, device, partition, method, path,
     :param path: request path
     :param headers: dictionary of headers
     :param query_string: request query string
+    :param ssl: set True if SSL should be used (default: False)
     :returns: HTTPConnection object
     """
-    conn = BufferedHTTPConnection('%s:%s' % (ipaddr, port))
+    if ssl:
+        conn = HTTPSConnection('%s:%s' % (ipaddr, port))
+    else:
+        conn = BufferedHTTPConnection('%s:%s' % (ipaddr, port))
     path = quote('/' + device + '/' + str(partition) + path)
     if query_string:
         path += '?' + query_string
@@ -135,9 +140,11 @@ def http_connect(ipaddr, port, device, partition, method, path,
 
 
 def http_connect_raw(ipaddr, port, method, path, headers=None,
-                     query_string=None):
+                     query_string=None, ssl=False):
     """
-    Helper function to create a HTTPConnection object that is buffered.
+    Helper function to create an HTTPConnection object. If ssl is set True,
+    HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection
+    will be used, which is buffered for backend Swift services.
 
     :param ipaddr: IPv4 address to connect to
     :param port: port to connect to
@@ -145,9 +152,13 @@ def http_connect_raw(ipaddr, port, method, path, headers=None,
     :param path: request path
     :param headers: dictionary of headers
     :param query_string: request query string
+    :param ssl: set True if SSL should be used (default: False)
     :returns: HTTPConnection object
     """
-    conn = BufferedHTTPConnection('%s:%s' % (ipaddr, port))
+    if ssl:
+        conn = HTTPSConnection('%s:%s' % (ipaddr, port))
+    else:
+        conn = BufferedHTTPConnection('%s:%s' % (ipaddr, port))
     if query_string:
         path += '?' + query_string
     conn.path = path