Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is basic auth with SSL secure enough?

I am developing an application which need to handle a massive amount of REST requests. Using basic auth will save a lot of computing resources since I don't have to compute the signatures. Also, the documentation will be a lot simpler. What are your thoughts?

like image 317
TP. Avatar asked Dec 03 '09 04:12

TP.


People also ask

Is Basic Auth secure if done over HTTPS?

The only difference that Basic-Auth makes is that username/password is passed in the request headers instead of the request body (GET/POST). As such, using basic-auth+https is no less or more secure than a form based authentication over HTTPS.

Is Basic Auth vulnerable?

Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session. A user authenticating with basic authentication must provide a valid username and password.

Are there any problems with basic authentication?

Problems with Basic Authentication The username and password are sent in every request. Although they are encoded with Base64, this does not add any security since they can be decoded easily. Most configurations of Basic Authentication do not implement protection against password brute forcing.


1 Answers

Yes. Basic Auth over SSL is actually stronger than Digest without SSL.

However, the overhead of SSL is much higher compared to computing hashes so there is no performance gain there.

like image 98
ZZ Coder Avatar answered Oct 11 '22 01:10

ZZ Coder