Basic Authentication - Did you know?
December 28, 2006 at 07:41 PM | categories: python, oldblog | View Comments
You may think basic authentication for your site is OK, and depending on how secure you want you data, and how much control you have of your network, it might be. However, consider this (faked) snoop:
Is this a problem? Do you know where all the transparent proxies might be between your users and your resources? As always, depends on the context :-) I found it interesting though, due to looking at adding authentication support to ryan's webclient code, since I'm looking to capture, process and potentially republish potentially authenticated RSS feeds using Kamaelia. (basic RSS example)
How secure is that?GET /Some/Secure/Thing HTTP/1.0
Authorisation: Basic TWljaGFlbDp1bHRyYXNlY3JldA==
Not very secure at all.~> python
Python 2.4.2 (#1, May 2 2006, 08:13:46)
[GCC 4.1.0 (SUSE Linux)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.decodestring('TWljaGFlbDp1bHRyYXNlY3JldA==')
'Michael:ultrasecret'
Is this a problem? Do you know where all the transparent proxies might be between your users and your resources? As always, depends on the context :-) I found it interesting though, due to looking at adding authentication support to ryan's webclient code, since I'm looking to capture, process and potentially republish potentially authenticated RSS feeds using Kamaelia. (basic RSS example)