basic auth request
Martin Di Paola
martinp.dipaola at gmail.com
Sat Aug 21 14:54:11 EDT 2021
While it is correct to say that Basic Auth without HTTPS is absolutely
insecure, using Basic Auth *and* HTTPS is not secure either.
Well, the definition of "secure" depends of your threat model.
HTTPS ensures encryption so the content, including the Basic Auth
username and password, is secret for any external observer.
But it is *not* secret for the receiver (the server): if it was
compromised an adversary will have access to your password. It is much
easier to print a captured password than cracking the hashes.
Other authentication mechanisms exist, like OAuth, which are more
"secure".
Thanks,
Martin
On Wed, Aug 18, 2021 at 11:05:46PM -0000, Jon Ribbens via Python-list wrote:
>On 2021-08-18, Robin Becker <robin at reportlab.com> wrote:
>> On 17/08/2021 22:47, Jon Ribbens via Python-list wrote:
>> .......
>>> That's only true if you're not using HTTPS - and you should *never*
>>> not be using HTTPS, and that goes double if forms are being filled
>>> in and double again if passwords are being supplied.
>>
>> I think I agree with most of the replies; I understood from reading
>> the rfc that the charset is utf8 (presumably without ':')
>
>The username can't contain a ':'. It shouldn't matter in the password.
>
>> and that basic auth is considered insecure. It is being used over
>> https so should avoid the simplest net scanning.
>
>It's not insecure over HTTPS. Bear in mind the Basic Auth RFC was
>written when HTTP was the standard and HTTPS was unusual. The positions
>are now effectively reversed.
>
>> I googled a bunch of ways to do this, but many come down to 1) using
>> the requests package or 2) setting up an opener. Both of these seem to
>> be much more complex than is required to add the header.
>>
>> I thought there might be a shortcut or more elegant way to replace the
>> old code, but it seems not
>
>It's only a trivial str/bytes difference, it shouldn't be any big deal.
>But using 'requests' instead is likely to simplify things and doesn't
>tend to be an onerous dependency.
>--
>https://mail.python.org/mailman/listinfo/python-list
More information about the Python-list
mailing list