basic auth request
Chris Angelico
rosuav at gmail.com
Sat Aug 21 15:04:43 EDT 2021
On Sun, Aug 22, 2021 at 4:55 AM Martin Di Paola
<martinp.dipaola at gmail.com> wrote:
>
> While it is correct to say that Basic Auth without HTTPS is absolutely
> insecure, using Basic Auth *and* HTTPS is not secure either.
>
> Well, the definition of "secure" depends of your threat model.
Yes. Which makes statements like "not secure" rather suspect :)
> HTTPS ensures encryption so the content, including the Basic Auth
> username and password, is secret for any external observer.
>
> But it is *not* secret for the receiver (the server): if it was
> compromised an adversary will have access to your password. It is much
> easier to print a captured password than cracking the hashes.
>
> Other authentication mechanisms exist, like OAuth, which are more
> "secure".
If your server is compromised in that way, *all is lost*. If an
attacker is actually running code on your server, listening to your
sockets, after everything's decrypted, then *shut that server down*. I
don't think there is ANY security model that can handle this - if
you're using OAuth, and the server is compromised, then your client ID
and client secret are just as visible to the attacker as passwords
would be.
ChrisA
More information about the Python-list
mailing list