Internet security : How Secure Is HTTP Basic

Make money from your photos, videos and blogs. Get Started Now!

Posted in: Internet Security in yayasiri's Blog

With basic authentication, your server has identified who the client user is by means of a user ID and password. How sure can you be that the user really is who he claims to be? To answer this you have to consider the ways in which the ID and password may have been compromised:

The user may have voluntarily given the ID to another person.

The user may have written down the ID, and someone may be using it without his knowledge.

Someone may have guessed the password.

Someone may have intercepted the user ID and password between client and server systems.

The first three possibilities are problems which occur in any password-based system. The normal response to such issues is to suggest better user education and password rules. This is quite reasonable, and can be effective within a single enterprise, where you have some control over the users of the system. It is much less effective in the Interne environment, where the users can come from many backgrounds and locations.

The last possibility is dependent on the level of protection given to messages by the HTTP protocol. We mentioned at the start of the chapter that base64 encoding is used to protect the user ID and password. The base64 encoding system is described in the Multipurpose Internet Mail Extensions (MIME) standard (RFC1521). It is intended as a mechanism for converting binary data into a form that can be sent through mail gateways, some of which can only handle 7-bit ASCII data. The result of this conversion is to mask the contents of any text string but, although it looks as though the data is encrypted, the protection that Base64 provides is an illusion.

We will illustrate this with an example. In order to crack a message, the hacker first has to be able to capture it. There are various ways to do this through hardware and software and none of them are very difficult. What is more difficult is finding a suitable point to make the trace. There are numerous techniques that a hacker can use to divert Internet traffic through his own tracing system, although they are becoming more complex as firewalls and routing controls become smarter. Nonetheless, we can assume that this is not an impossible task for a determined hacker.

For our example we used the DatagLANce LAN analyzer to capture an HTTP packet packet that contained a request including a basic authentication header.