[4539] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Thu Feb 20 18:04:14 1997
Date: Thu, 20 Feb 1997 15:34:09 -0500 (EST)
From: "Brian W. Spolarich" <briansp@ans.net>
To: Aaron Abelard <aarona@iquest.net>
cc: Jim Harmon <jim@telecnnct.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SV4.3.91.970220084052.24549E-100000@iquest4>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 20 Feb 1997, Aaron Abelard wrote:
| Here's something very on topic for www-security. According to the HTTP/1.0
| specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the
| username and password used in Basic Authentication is sent as clear
| text. Does this not allow for the possibility of the information being
| snooped? Also, are there any authentication schemes in use other than
| Basic?
That's quite true, and a Known Problem for HTTP/1.0. The data is sent
Base64-encoded, but certainly not encrypted, and snoopable. But no more
or less snoopable than much of the authentication that's done out there.
There's support in HTTP/1.1 [RFC2068] for MD5-based digest
authentication [RFC2069], which does not transmit the password in the
clear. I'm not aware of any publicly-available servers and clients which
do this, though. There's also the choice of doing Basic authentication
over an SSL-encrypted session, which is safe from eavesdropping, and is
currently implementable.
| Its one thing to have someone circumvent your security to download free
| nudies. To have them rooting through your confidential and proprietary
| corporate information is another thing altogether.
Indeed.
--
Brian W. Spolarich - ANS Systems Development - briansp@ans.net - 313-677-7311
At the sight of Nothing the Soul rejoices. -- Thomas Moore
