Security of the HTTP authentication method

Asked

Viewed 202 times

1

A colleague once told me to use that method of authentication is very insecure. And proved putting user as: true and password: true, within a system that used it and got through. But I believe the lack of security was in the code that was misspelled and not in the resource.

I would like to know if it is possible to use it safely, or this can really be circumvented, because on this site are using this type of window login system, and I would like to be sure, precisely to warn you of the risk:

https://servicos.tecban.com.br/portalSeg/loginAutenticar.do

  • 2

    Ask your colleague to let you know, and let him pass the shame. The address you indicated uses HTTPS. The problem with HTTP authentication is that the password goes through your network, the provider, is everything else to get to the destination. The HTTPS when used correctly encrypts the data before sending (unless you have installed that "web protection" of the Antivirus there, which is nothing more than a "man in the Middle" of the manufacturer). On the true, obviously the application had a problem, or else a true user with true password ;)

  • But you can use this without https:// safely?

  • You can use any password authentication with and without HTTPS, but it falls into the same problem: without HTTPS the password passes open. Whether this type of authentication, or even a login and password with form on the page, the password is cleared (or the password or hash used). What you can do to increase, is send a nonce that varies from login to login, and a JS to hash, but it’s just an extra layer. HTTPS is key.

  • I get it, it’s just that I like the window style, when I want to show a website to a client, he needs to type in a password... to be able to see... So he’s reassured to think that no one saw before him and I, hehe.

  • Remember that from browser to browser the window changes. Take a closer look at the pros and cons and think that in case of error, it is more complicated to show friendly messages. In addition, it is more complicated to manage forced logoff, you need to send a 401 status to the person. You can’t easily deploy on the server side without changing your credentials. There’s a case where it’s cool. and there’s a case where it’s not good.

  • In my opinion I believe that the only advantage of using this type of authentication is to use the CURL, or integration with other software... Because it becomes easier to use curl -u username:password https:// (or send by Authorization: Basic [...] in headers), rather than making a POST, that can already be "busy" with sending other data. Anyway, but for "common" applications I can not see advantage. About insurance or not believe the problem of true/true is in the code that is authenticating and processing this and that can occur with any type of authentication, if done wrong.

Show 1 more comment
No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.