Python Scripts to logon to websites

Peter Hansen peter at engcorp.com
Wed Jan 11 22:05:57 EST 2006 

Mike Meyer wrote:
> Peter Hansen <peter at engcorp.com> writes:
>>By the way, note that neither basic auth nor digest auth provide any
>>real security, and in fact with basic auth the userid and password are
>>sent *in cleartext*.  For any serious production site these techniques
>>should probably not be used without additional security measures in
>>place, such as HTTPS encryption.
> 
> To be clear, the HTTP authentication schemes don't provide any
> security for the *content* that gets passed back and forth, and they
> don't claim to. If someone can intercept that content, they can read
> it. For some applications, this is really important. For others, it
> doesn't matter at all.

If someone can see the content, they can also see the userid and 
password.  If they can see the password, they will (with how most people 
operate) now have a userid and password that will work on many other 
sites, including possibly someone's banking site, no matter how secure 
even the content might be for that site.

Most people on the web are simply too ignorant of security issues for 
those of us building systems that require passwords to ignore this 
issue.  To do so is to endanger the security and privacy of the very 
people you are hoping to have as users and customers, which is lazy and 
careless (and perhaps in some countries even criminal these days).

> Basic auth doesn't (quite) pass the user name and password in
> cleartext. It uses rot-13. For all the protection it provides, it
> might as well be cleartext.

It's actually base64 encoding, but it amounts to the same thing, as you 
say, as cleartext, since it's trivially reversible.  The protection is 
useless against all but honest people who might otherwise accidentally 
see it while looking at packet monitoring dumps or such.

> Digest passes around md5 sums of varous bits and pieces. While md5 has
> been compromised, I don't believe that's happened in a way that
> compromises the security of digest auth. The password and username
> that pass over the wire are about as secure as they're going to get
> without noticably heavier mechanisms than digest auth requires. On the
> downside, the server has to have the clear text password available.

My information about digest was either obsolete or simply wrong, as I 
didn't realize it had all the nonce and anti-replay support it appears 
to have.  (I may have been remembering articles about how much of that 
wasn't supported widely at some time in the past, meaning replays were 
still quite possible in most cases.  No longer sure.)  Thanks for the 
correction.

In my own opinion, however, requiring that passwords be stored in clear 
text on the server is still quite a bad thing to do.  I don't think even 
system administrators should ever have access to user passwords.  But 
many people don't seem to agree (or at least, are more than happy to be 
lazy rather than diligent in protecting their users' privacy).

-Peter

More information about the Python-list mailing list