Re: SSL & Basic Authentication
- From: David Wang <w3.4you@xxxxxxxxx>
- Date: Fri, 15 Aug 2008 14:21:09 -0700 (PDT)
Well, in relative terms, using SSL to encrypt the transport of data is
"more" secure than no encryption. And more bits is more secure than
less bits. And how do you know if 1024bits is enough? Well, that all
depends on your security tolerance!
However, transport of data/credentials and the number of bits for
encryption is far from the whole story of the "security process".
Consider:
- Does the client cache those credentials and if so, how is that
secured?
- Is the actual username/password going over the wire or some one-way
hashed form of it?
- Is the actual username/password stored in memory on the server
somewhere to be accessed by unauthorized server-side code?
- Is the server authorized to cache and replay that username/password
to another server (i.e. delegation)
All it takes is one insecure link in security for the entire system to
be considered insecure. You can use 1 billion bit encryption, but if
the client or server caches the username/password in the clear, the
encryption is useless.
Also, the security of the system is NOT merely the security of its
parts -- i.e. making sure each link of a system is "more secure" does
NOT ensure that the entire system is "more secure".
System Security depends on all the links to be secure as well as
interaction between all the links to be secure.
Thus, asking about the relative security of sending username/password
over SSL is quite incomplete. It is even harder without defining your
own security threshold and tolerance.
For the sake of your question -- using Basic over SSL is more secure,
but without knowing your security requirements, it is hard to advise
whether you should look for better methods. You don't even have a
criteria to determine if your current method is secure enough, let
alone determine if you need more. More security is not always better
because security is not absolute -- it is a gradient that requires
matching security required and security provided.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Aug 15, 5:24 am, BigSam <Big...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I suppose I was asking in relative terms. Since we need some form of
authentication, how does Basic Authentication with SSL using a 1024 bit key
rate to some of the other forms of authentication? I understand that Basic
Authentication by itself isn't considered secure by any measure, but when
adding SSL to the mix how much does that increase the security, since the
user ID & password are now encrypted? I assume the user ID & password are
encrypted, please correct me if I'm wrong on that matter.
Thanks,
BigSam
"David Wang" wrote:
On Aug 14, 12:53 pm, BigSam <Big...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
We've a web site that has a certificate in use & all pages are using SSL.
Some pages are configured to use Basic Authentication; we're connecting to
these with mobile devices.
How secure is the process? Should I look for better methods?
You need to first define your security threshold and tolerence before
asking/evaluating the security of any configuration.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -
- Show quoted text -
.
- Follow-Ups:
- Re: SSL & Basic Authentication
- From: BigSam
- Re: SSL & Basic Authentication
- References:
- SSL & Basic Authentication
- From: BigSam
- Re: SSL & Basic Authentication
- From: David Wang
- Re: SSL & Basic Authentication
- From: BigSam
- SSL & Basic Authentication
- Prev by Date: Re: Permissions on a shared folder
- Next by Date: Re: Permissions on a shared folder
- Previous by thread: Re: SSL & Basic Authentication
- Next by thread: Re: SSL & Basic Authentication
- Index(es):
Relevant Pages
|
