httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Apache Basic Authorization and Java
Date Fri, 30 Aug 2002 07:58:55 GMT
Basic Authentication is a great little mechanism for keeping nosey-parkers out of areas you'd
like to limit access to. For example, if you publish data which users are supposed to subscribe
for before downloading then Basic Authentication is a great way to limit the access to bona
fide subscribers. If anyone manages to break in, they just get something for free and it's
just a minor loss to you. 

However, it would not be wise to rely on this mechanism to protect anything which, if divulged,
would lead to you becoming liable. For example, if you store personal data on users which
they can view behind a BA scheme then if this information was mis-used, I doubt a court would
regard BA as due diligence in protecting the data.

The problems with BA are:

- the user/pass are in an ordinary plain-text header. Admittedly they are base64-encoded,
but it is elementary maths to decode this. However, SSL, as you point out, makes this bit
- there is no limit, delay or alert associated with multiple retries on the password. A hacker
with a known username can try an automated dictionary-hack (possibly using that pesky wget
program), firing off dozens of attempts per second until he finds a working pair. Apart from
being a bit slower, this sort of attack still works on an SSL site.

Bear in mind, however, that once in, all the hacker has obtained is the right to access documents
on an area of the website which you wanted to limit access to. He has in no way compromised
the security of the server itself and is in no better a position than if you'd simply forgotten
to "AllowOverride AuthConfig". So you've hardly handed him the "keys to the castle"...


Owen Boyle

>-----Original Message-----
>From: Dirk-Willem van Gulik []
>Sent: Donnerstag, 29. August 2002 19:04
>Subject: RE: [users@httpd] Apache Basic Authorization and Java
>On Thu, 29 Aug 2002, Boyle Owen wrote:
>> Hahahahahahaha...  you guys crack me up!
>> I was only concerning myself with "technical feasibility" - Security?
>> with Basic Authentication? Now I'm *really* laughing :-()
>Actually when combined with for example
>or when used with a
>	one time password list (skey),
>	an OTP or
>	hardware token (such as SecurID) or
>	trusted hardware (chipcard, iButton)
>you can actually still get a lot of milage out of the system.
>Note that the stateless nature of http gives you some nice 
>challenges in
>terms of any non constant passwd, but still, for some cases (such as a
>download or a commit) or when combined with a cryptographic 
>cookie, it can
>be very useful.
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message