Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted  (Read 2434 times)

0 Members and 1 Guest are viewing this topic.

nidhinjo

  • Guest
HTTP Basic authentication implementation is one of the easiest ways to secure web pages because it doesn't require cookies, session handling, or the development of login pages. Rather, HTTP Basic authentication uses static headers which means that no handshakes have to be done in anticipation. Programmers and system administrators sometimes use basic access authentication—in a trusted network environment—to manually test web servers using Telnet or other plain-text network tools. This is a tough process, but the network traffic is human-readable for diagnostic purposes. One other advantage of basic authentication is that it avoids the double hop authentication problem that can cause problems for protocols.

Basic authentication is a very simple authentication scheme that is built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the Basic word followed by a space and a base64-encoded username: password string. A resource that is protected by basic authentication requires incoming requests to include the Authorization HTTP header using the basic scheme. This scheme uses a base64 encoded username and password separated by a colon (base64 encoding is used to avoid characters that would cause issues when sent over HTTP).

Plain text
Authorization: Basic username: password

Encoded
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Base64

Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. The term Base64 originates from a specific MIME content transfer encoding.Base64 encoding schemes are commonly used when there is a need to encode binary data that needs be stored and transferred over media that are designed to deal with textual data. This is to ensure that the data remains intact without modification during transport.

Basic authentication sends a Base64-encoded string that contains a user name and password for the client. Digest authentication is a challenge-response scheme that is intended to replace Basic authentication. The server sends a string of random data called a nonce to the client as a challenge.Base64 is not encryption -- it's an encoding. It's a way of representing binary data using only printable (text) characters.While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.
     Encryption requires a key (string or algorithm) in order to decrypt; hence the "crypt" (root: Pluingscryptography)Encoding modifies/shifts/changes a character code into another. In this case, usual bytes of data can now be easily represented and transported using HTTP.

Prevention

1) To Protect password hacking, we should use HTTPs connections instead of HTTP. The only difference between HTTP and HTTPS is that HTTPS is using the SSL/TSL security protocol over TCP/IP instead of plain TCP/IP.

2) HTTP Basic Authentication and HTTPS both are different concepts. In HTTP Basic Authentication username and password are sent in clear text (In HTTP Digest Authorization password is sent in base64 encoded using MD5 algorithm).  Where as HTTPS is completely different functionality, here complete message is encrypted based on keys and SSL certificate.

3) Install Plugins/Extensions in the web server for encryption or add SSL/TSL Protection for the site.