APPLICATIONS

  • 11/30/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

HTTP Basic Authentication Primer

In this video, Tony Fortunato discusses the simple form of HTTP authentication and shows how to verify an application is using it via Wireshark.

One of the things I keep my eyes peeled for are items that involve security implications. Full disclaimer: I am not a security guru nor do I profess to be one, but I do understand some of the more obvious issues.

For example, many of you are probably familiar with the term "clear text." This is when data or credentials are transmitted in a text format. Obviously, this is not a good thing since anyone who happens to intercept sensitive data will be able to easily see it..

Hence, the introduction of encryption so that your data is encoded in such a manner that only authorized applications can read the data. Unfortunately, as many people know, different types of encryption have their weaknesses.

In this video I cover the simplest form of HTTP authentication: HTTP Basic. With this method, your data is encoded with Base64 in transit. Some people even go as far as calling this encryption, but I don’t want to go down that rabbit hole. Suffice to say, we can all agree the data is no longer in clear text.

I show you that with Wireshark and no additional downloads, plugins or scripts, you can see if an application is using HTTP Basic. Wireshark will decode the authorization string, revealing the credentials. The syntax presented is simply username:password.

Please keep in mind that this something specific to Wireshark, so you should take a moment to try your own protocol analyzer to see how it fares.


Comments

MITMA

A man-in-the-middle-attack would also employ the same technique to gain access to sensitive credential information. In this regard, HTTPS is better due to encrypted certificates. However, no security is bullet proof, if the attacker is desperate and the prize big enough then the MITMA will create a fake certificate in order to eavesdrop.

Re: MITMA

well written and thanks for the input

Re: MITMA
Never thought of that. Great point
posted video interview discussing this article on LMTV
Re: posted video interview discussing this article on LMTV

Great discussion, thank you for sharing it with us. I think of encoding as communication enablers and encryption as communication restrictors. For instance, a modem (modulator-demodulator) is an encoder/decoder that enables the digital computer to communicate with the analog phone wire and vice versa. And, encryption is similar to the secret language that twins develop in order for a third party not to understand their communication.

Additionally, the line between encoding and encryption is a moving target because of Moore's law and brute force. If the password ABCD1234 requires around 11 minutes to crack and if the password ABCD12345 requires 7 hours to crack then, due to Moore's law with time the duration required to crack a given password/key will decrease.