TL;DR Get familiar with how Basic Authentication looks like in HTTP Proxy traffic. Understand the security implications. At minimum, HTTPS must be enforced when using Basic Authentication.
Many a time, the discussion goes to and fro between pentesters and developers:
It is hidden on the page, no user can see!
That data can be see in traffic!
and the confusion ensues.
Though post is not about how hidden data can be unearthed from the page ( see here for how client side protection doesn’t matter), I guess it might be helpful to have some visual example of how some of the key technologies looks like behind the beautifully craft to web pages.
How it looks like: Basic Authentication
Is it secure?
- Though this authentication type can be considered as rather old technology, I still come across many applications using this type of authentication, especially in the “internal” networks or intranet applications. Some might say this authentication system is insecure due to both username and password being transmitted in plaintext (yes.. Base64 doesn’t count as encryption.. it is just a form of encoding. You just saw how easily it can be decoded.).
- On the other hand, some argues that as long as HTTPS is strictly enforced when Basic Authentication is used, it makes no difference from other cookie/form based authentication (due to the fact that most website sent username/password plaintext to the server when submitting through login form).
- Basic Authentication is unable to leverage the conventional Session Management protective mechanism. (This is a topic for another day.. I guess).
The security baseline:
- Whichever side you are on, the HTTPS is a must when using Basic Authentication. You will be surprised how many intranet application using HTTP communication channel.
No reason not to use HTTPS:
- Nowadays, there is no reason not to use HTTPS. The major browsers are marking the HTTP site as insecure. ( check how Chrome is doing it and Firefox is doing it) .
- If one worries about the cost of buying SSL certificate, there are free initiatives promoting secure web. (check free SSL certificate by Let’s encrypt).
Get familiar with how Basic Authentication looks like to the pentesters and understand the security implications.
Of course, the post is based on the personal experience and online references, one shall not believe internet posts without proper research.
Code securely and stay safe! it’s a mad world out there! :D