Basic Authentication - Did you know?

December 28, 2006 at 07:41 PM | categories: python, oldblog | View Comments

You may think basic authentication for your site is OK, and depending on how secure you want you data, and how much control you have of your network, it might be. However, consider this (faked) snoop:
GET /Some/Secure/Thing HTTP/1.0
Authorisation: Basic TWljaGFlbDp1bHRyYXNlY3JldA==
How secure is that?
~> python
Python 2.4.2 (#1, May  2 2006, 08:13:46)
[GCC 4.1.0 (SUSE Linux)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.decodestring('TWljaGFlbDp1bHRyYXNlY3JldA==')
Not very secure at all.

Is this a problem? Do you know where all the transparent proxies might be between your users and your resources?  As always, depends on the context :-) I found it interesting though, due to looking at adding authentication support to ryan's webclient code, since I'm looking to capture, process and potentially republish potentially authenticated RSS feeds using Kamaelia. (basic RSS example)
blog comments powered by Disqus