I am preparing for the SCWCD certification. I have several references. In at least one reference it is indicated that the password is passed as clear text utilizing HTTP Basic Authentication. In at least one other text is is indicated the password is passed using base 64 encoding, a weak type of encryption. Which is right?? Comments welcome. Thank you in advance for your help. Michael
Michael According to what I've read they've all been in agreement on Basic Authentication using Base64 encoding. After your question I checked the RFC and it does say Base64. What book do you have that is incorrect?
Password is definitely sent in Base64 encoding. However, encoding is not same as encryption. There is a subtle difference which causes the Base64 encoded string to be termed as "clear text". An encrypted string cannot be decrypted unless you have something (usually, the key) that was used to encrypt it even if you know the algorithm. For example, if you encrypt a string using Blowfish, nobody can ( well, leave alone cracking for now) decrypt it unless one has the key even if one knows that the original string was encrypted using Blowfish. Encoding, on the other hand, has no such protection. Anybody who knows the algorithm can decode it. For example, ASCII, EBCDIC, Unicode are all encoding mechanism. You don't have to do any decryption to find out that 65 is ASCII for A. Similary, Base64 is another encoding mechanism. Anybody can find out what a Base64 encoded string means in ASCII. For this reason, it is said that the password is sent in "clear text". I remember there was a question on this particular aspect in the exam too. HTH, Paul. [ August 07, 2002: Message edited by: Paul Anil ]