tags:

views:

112

answers:

4
+2  Q: 

HTTPS and BASIC authentication

When I use HTTP BASIC authentication along with HTTPS, are the username and password securely passed to the server?

I would be happy if you can help me with some references.

I mean, it would be great if I can cite StackOverflow Q&A as a reference in, say, assignments, reports, exams, or even in a technical paper. But I think I am not there yet.

+7  A: 

yes. if you're using https the conversation with the web server is entirely encrypted.

Don Dickinson  2010-08-12 03:06:21
+1. Even the fact that Basic Auth is taking place cannot be established from the outside.
Thilo  2010-08-12 04:33:57
@Don, @Thilo: Thank you; Can you help me with some references?
afriza  2010-08-12 17:50:05
+2  A: 

HTTP Basic Authorization and HTTPS both are different concepts.

  • In HTTP Basic Authorization username and password are sent in clear text (In HTTP Digest Authorization password is sent in base64 encoded using MD5 algorithm)
  • Whereas HTTPS is completely different functionality, here complete message is encrypted based on keys and SSL certificate.

Please Note: There is difference between authorization and security. HTTP Basic authorization is an authorization concept it is not security

YES. In your case the HTTP message with username and password will be encrypted and then sent to the server.

alam  2010-08-12 03:46:51
It's HTTP Basic authentication, not authorization, which is yet another concept.
Bruno  2010-08-12 13:21:07
By authorization I mean "401 Unauthorized" header as per RFC 2617. Sorry for creating confusion
alam  2010-08-12 17:32:57
It is also worth to mention, that HTTPS also provides ways for authentication (certificate based log-in), not only encryption – HTTP Basic authentication may be not needed there.
Jacek Konieczny  2010-08-25 08:34:40
A: 

Yes, they are passed securely... if a hacker can decrypt your https transaction he can for sure decrypt the base64 user:password...

I know the more rocks you put the harder it takes... but base64 is not for security reasons

Garis Suero  2010-08-12 03:52:39
Could you please state how you jumped from HTTP BASIC authentication to base64?
Daren Thomas  2010-08-25 08:44:53
A: 

My other question has very good answers that also answer this question:

afriza  2010-08-25 08:15:59

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL