Changing from HttpClient to Webclient, sending password as plain text

Question

I have an async method that uses HttpClient:

 private static HttpClient client = new HttpClient();   //As pointed by @maccettura
 private async Task<string> GetResult(Uri url, string user, string pass)
 {

    var PassArray = new UTF8Encoding().GetBytes(user + ":" + pass);

        client.BaseAddress = url;

        client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(_passArray));

        string result;

        using (HttpResponseMessage response = await client.GetAsync(url))
        using (HttpContent content = response.Content)
        {
            result = await content.ReadAsStringAsync();
        }
        return result;
    }

That I had to change to synchronous WebClient

     private string GetResult(Uri url, string user, string pass)
    {
        using (var client = new WebClient())
        {
            client.UseDefaultCredentials = true;
            client.Credentials = new NetworkCredential(user, pass);
            using (var stream = client.OpenRead(url))
            using (var streamReader = new StreamReader(stream, Encoding.UTF8, true))
            {
                return streamReader.ReadToEnd();
            }
        }
    }

Am I compromising security by sending plain username and password? If so, is there a way to increase the security? (the url is a Https address)

FYI, [you are using HttpClient wrong](https://aspnetmonsters.com/2016/08/2016-08-27-httpclientwrong/). — maccettura, Oct 09 '17 at 19:56
It is the use of HTTPS, not what library you use that protects the credentials. Base64 encoding is not any protection anyway. — Crowcoder, Oct 09 '17 at 20:01

score 1 · Answer 1 · answered Oct 09 '17 at 20:12

In both cases you send credentials in "plain text". In both cases they are converted to base-64 before sending, but that does not make it any more secure. The only difference is that in second (WebClient) case web client will first make request without credentials. Then it will get 401 Unauthorized response and after that it will make second request with the exact same Authorization Basic <base64_here> header, so it's kind of less efficient than applying that header right away. But again both cases send exactly the same Authorization header. As already said - if you make request to https endpoint, your credentials should be safe against interception by third party, no need to implement your own encryption if you are already using encrypted channel.

sdfbhg · Answer 2 · 2017-10-09T20:03:38.220

0

Yes you are compromising by sending plain text username and password. There can be network sniffers that can pick up the packages you send accross http and read them. If user name and passwords are plain then uh-oh. Sniffers usually sniff in public places like libraries and coffee shops.

edited Oct 09 '17 at 20:03

answered Oct 09 '17 at 20:02

sdfbhg

109
5

You are right but it has nothing to do with WebClient vs HttpClient. – Crowcoder Oct 09 '17 at 20:03
the solution is what you mentioned by using a secret and algorithm encrypt using your secret then decrypt when u receive. – sdfbhg Oct 09 '17 at 20:05
@sdfbhg, if it is not your site on the other end then you can't do that. The answer is to make sure to use HTTPS. – Crowcoder Oct 09 '17 at 20:06
Can you check with the other site if they have security implemented. – sdfbhg Oct 09 '17 at 20:08

Changing from HttpClient to Webclient, sending password as plain text

2 Answers2