Win a copy of Svelte and Sapper in Action this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

is PasswordAuthentication secure?

 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an app that downloads a file based on a URL(HTTPS). That server needs HTML auth to gain access. It works just fine but I'm wondering how secure it is.

code snip it.



Does it use some kind of encryption?

Does it need encryption? Since it's simulating the user typing in his or her password manually in the prompt from the browser.

I started wondering when I came across this lib.
Jasypt


Thanks
 
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you asking about HTML's "basic auth" setup with userid and password?
It does not necessarily use any encryption at all, it is used to give user-specific access to a web page, servlet, etc.

You can combine "basic auth" with SSL/TLS, with a HTTPS: connection, which uses the certificate system of TLS, and over the link encryption.
This makes it more of a challenge to mess with. Without HTTPS, there is very little security, as the password is sent in the clear.

But your fundamental question can't be answered. Security is not binary. Its all a grayscale. You decide how worried you are about which set of possible attacks, and design for that.
 
Chuck Barnes
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Pat Farrell wrote:Are you asking about HTML's "basic auth" setup with userid and password?
It does not necessarily use any encryption at all, it is used to give user-specific access to a web page, servlet, etc.

You can combine "basic auth" with SSL/TLS, with a HTTPS: connection, which uses the certificate system of TLS, and over the link encryption.
This makes it more of a challenge to mess with. Without HTTPS, there is very little security, as the password is sent in the clear.

But your fundamental question can't be answered. Security is not binary. Its all a grayscale. You decide how worried you are about which set of possible attacks, and design for that.



Lol, you made me realize I may have answered my own question. I guess I figured it IS 'secure' because the connection is using SSL, so you confirmed that.
Since it is SSL the password, even though it is basic scheme, is still encrypted.

So I am 'worried' about being less secure than a user manually downloading the file with a browser.

I think I'm ok in that regard.

 
Pat Farrell
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Chuck Barnes wrote:So I am 'worried' about being less secure than a user manually downloading the file with a browser.


I'm not sure what part of downloading a file you are concerned about. From the server point of view, its got the file, and letting someone download the file is what a webserver does. HTML page, image, Excel spreadsheet, doesn't matter, they are all just files.

Usual practice is to use Basic Auth with SSL/TLS and declare victory.

From the client view, you have to make a number of leaps of faith that the server is who you think it is, that the file is what you think it is. TLS does a fairly weak job of addressing this, as the whole certificate schema is weak and nearly useless.
 
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Pat Farrell wrote:

Chuck Barnes wrote:So I am 'worried' about being less secure than a user manually downloading the file with a browser.


I'm not sure what part of downloading a file you are concerned about. From the server point of view, its got the file, and letting someone download the file is what a webserver does. HTML page, image, Excel spreadsheet, doesn't matter, they are all just files.

Usual practice is to use Basic Auth with SSL/TLS and declare victory.

From the client view, you have to make a number of leaps of faith that the server is who you think it is, that the file is what you think it is. TLS does a fairly weak job of addressing this, as the whole certificate schema is weak and nearly useless.



So the trick is to only to allow certain certificates. If you know when these certificates get refreshed, you could simply trust only that certificate (or that specific CA, and it's certificate status). Of course, if you go this way, it makes sense to test the connection now and then, or your users are stuck with no SSL connection.
 
You totally ruined the moon. You're gonna hafta pay for that you know. This tiny ad agrees:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic