cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Digest vs. Basic Authentication: Password sent in clear?

From: Daniel Beardsmore <public_at_telcontar.net>
Date: Sun, 18 Mar 2007 02:24:25 +0000

Sorry, not awake today ... blame it on "germs"? (viruses, but hey)

Jerry Krinock wrote:
> ***** tcpflow output during Basic Authentication.
> If you search that file for the password "port7yuke",
> you'll see that it is not found.
> 010.000.001.205 is my computer's static IP address
> 206.190.056.028 is Yahoo (del.icio.us)
>
> 010.000.001.205.50558-206.190.056.028.00443: ...

By the way, this is a dump of HTTPS traffic (port 443) which is *ENCRYPTED* so
of course you're not going to be able to read anything from it! (The only
fragments of plain text appear to be the key?)

By its very definition, HTTPS traffic cannot be sniffed, so it's immaterial
whether you use Basic or Digest auth.

However, if you were to sniff an insecure (HTTP) connection you would still not
see your password. While HTTP requests are textual not binary (sniff some plain
HTTP requests and you will see this), the username and password in Basic auth
are base64-encoded as I previously mentioned. Anyone who knows the HTTP spec can
decode those with great ease -- just use any online base64 decoder page on the Web.
Received on 2007-03-18