perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gavin Carr <ga...@openfusion.com.au>
Subject Re: username and password with basic auth
Date Wed, 14 Sep 2005 04:29:53 GMT
On Wed, Sep 14, 2005 at 05:41:35AM +0200, Gerald Richter wrote:
> > Of course, Basic Authentication is evil, and should only be 
> > used for toy projects (since it doesn't scale) over HTTPS.
> 
> I see that, since password is transmitted in clear text, it is a security
> problem in http, but where is the problem with https?

The problem is that the password is still transmitted in the
clear on every request. If I can somehow sniff packets on your 
host I get lots of opportunities to steal your credentials; 
if I can get a hostile embperl page or cgi within the same
Auth Realm on your webserver I can do the same. Authentication
should be once only per-session and/or it shouldn't use cleartext
passwords.

The scalability thing is also significant, since is every request
for every resource (which often means css, images, etc., not just 
html pages) is authorised. And typically the authorisation is 
non-trival (e.g. a linear scan through an htpasswd file,
proportional to the number of users you have), rather than 
something fast like a ticket checksum.

Cheers,
Gavin

--
Open Fusion P/L - Open Source Business Solutions [ Linux - Perl - Apache ]
ph:  +612 9875 5032                                    fax: +612 9875 4317
web: http://www.openfusion.com.au                      mob: +61 403 171712
- Fashion is a variable, but style is a constant - Programming Perl


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org


Mime
View raw message