
Is Basic Authentication Really Insecure? - askorkin
http://www.skorks.com/2009/08/is-basic-authentication-really-insecure/
======
tptacek
The problem with basic auth has nothing to do with how it's encoded. All
authentication is insecure in flight if you're not using SSL. The problem with
basic auth is that you can't log out.

You may work on a computer that only your cat can access, but a lot of people
--- maybe most --- don't have that luxury.

~~~
there
it might be worth noting that basic auth is slightly worse than the others
because it sends your password across in the clear for every request, whereas
session-based authentication is only sending it once.

if i login to flickr at home and then go to a coffee shop a few days later,
i'm never sending my password in the clear. of course, someone can steal my
session cookie and be me, but they still won't have my actual password. with
basic auth, i would have been giving my password out on every page view.

~~~
tptacek
You could stop that behavior with a session cookie, but then you might as well
just bite the bullet and use form auth.

------
wizard_2
Yes, yes it is. The article talks about how non plain text authentication
schemes are moot if you've got tls (https). I think you should. While this
idea violates defense in depth strategies I think the core of his argument is
compares apples to oranges.

Refraining from sending passwords plain text along your transport is always a
good idea. Even if on the public internet the password's transport may be
encrypted, once it hits your network it might not be. HTTPS accelerators (or
reverse proxies) will remove this secure layer and with basic authentication
you'll be left with the base64 clad password.

While you could argue that if your local networks are compromised you're
screwed anyway. (think bad network topology in your data center) Think back to
defense in depth, I'd rather the passwords never enter my network to begin
with. (Think digest, or better yet Kerberos.)

~~~
tptacek
Digest is worse than Basic-Auth: it has most of the same underlying problems,
and adds the problem that _your passwords need to be stored cleartext on the
server_.

Nobody uses digest.

~~~
mastrix
It requires the server to store _either_ the password or the hash of the
concatenated username, password, and realm. As long as the realm used in the
challenge is consistent, the password need not be stored (at all, anywhere).

~~~
tptacek
If you want the challenge to be password-equivalent, then yes, you can avoid
storing the password. This defeats one of the purposes of digest
authentication.

Note also that by doing this, you're also conceding to store the password in
an extremely insecure hashed format. It's not as bad as cleartext, but it's
markedly worse than a real password hash.

------
charlesju
The only way to intercept this data is to:

1\. Hijack a DNS on route

or

2\. Sniff packets from the air or wire of the computer or server

right?

Both of those seem like reasonably safe risks to take.

~~~
mason55
>2\. Sniff packets from the air or wire of the computer or server

From your home connection, maybe. Anywhere else I wouldn't trust it.

