Top Reasons Not To Use HTTP Authentication

HTTP Authentication is one of the earliest ways web servers were able to receive user names and passwords with some level of control. The server sends a message to the user’s browser asking that it display a user name and password entry box. This appears over the user’s browser similarly to a JavaScript alert box, but with far less control. Long ago, when the web was in its infancy, HTTP Authentication was a great idea. Today it is considered a bad way to get user names and passwords without additional technologies applied.

The biggest reason HTTP AUthentication is considered bad, is that it does not handle data securely. The user name and password entered by the user is only converted to base64, which is neither truly encrypted, nor safe for transmission over standard web protocols. Any hacker sniffing the data stream can intercept this base64 string and decipher it without any difficulty. base64 can be encoded and decoded very easily without keys.

HTTP Authentication may be applied if the signal is wrapped in some other method of security, or is passed over an encrypted connection, such as SSL on port 443. Anyone sending their user name and password via HTTP Authentication must look for additional layers of security, but the majority will not think to look. It becomes the responsibility of the web developer to recognize the lack of Internet Security in HTTP Authentication, but wise clients should request appropriate levels of security.

Brute Force Attacks can be performed against HTTP Authentication rather easily. Web servers are designed for volume traffic and to handle mutliple requests simultaneously. Poorly designed websites allow multiple HTTP Authenticaion attempts from the same user at the same time. This means it is easy to repeatedly run through many username:password combinations until one returns a successful response. Without additional layers of security, a Brute Force Attack can yield devastating conequences on a supposedly secure server. Just because “you” can’t break in doesn’t mean “someone else” can’t break in easily.

If you, or your web developer, decide to use HTTP AUthentication, make sure you apply some form of additional Internet Security to protect your users’ information.

Leave a Reply