8

I have created a REST API that uses Basic HTTP authentication. Is is restricted to SSL only. Now that it is implemented I am hearing criticisms that Basic HTTP over SSL is not secure. It would be detrimental to the project for me to "stop the press" and it would be outside the scope of some of my clients skill set to use OAuth, etc. I need to understand the risk and rewards of this methods. Any examples of big names using Basic HTTP auth would be helpful as support also.

Jamey McElveen
  • 18,135
  • 25
  • 89
  • 129

2 Answers2

10

Basic HTTP authentication over SSL is basically secure, with caveats. Security issues predominantly arise from the use of Basic auth without SSL, in which case, the username and password are exposed to a MITM. In a browser, there are also problems with expiring credentials, but this isn't so much of an issue for REST services.

Marcelo Cantos
  • 181,030
  • 38
  • 327
  • 365
3

perhaps I am mislead but I don't see a problem with SSL only BASIC... esp. not with a stateless API.
If the callers are forced to use a SSL-sniffing proxy then BASIC means that the password is available in cleartext to the proxy... in this specific case Digest would be better (even with SSL) because the proxy wouldn't know the password (digest means challenge response...).

Yahia
  • 69,653
  • 9
  • 115
  • 144
  • 2
    Sniffing proxies won't work over SSL unless they can steal the real server's certificate, or con the client into trusting a bogus certificate, which is the whole point of SSL. – Marcelo Cantos Jul 26 '11 at 12:23
  • 2
    there are big companies out there installing an additional root certificate on their employee's computers so they can sniff SSL on the proxy - even some products off-the-shelf are sold in the field (prerequesite is always to install an additional root certificate the proxy has control over) – Yahia Jul 26 '11 at 12:27
  • Good point. I didn't consider the possibility of my own computer being the snitch. – Marcelo Cantos Jul 26 '11 at 12:33