-1

I am new to web services and read about token based authentication which can be used with web services from What is token based authentication?. I searched on internet but its quite confusing how http based websites manage to do token based authentication without any security vulnerability.

What point I have?

I can sit in between server and client and store the token somehow by sniffing the traffic and make misuse of it before it expires. Am I wrong here?

EDIT

As mentioned on https://security.stackexchange.com/questions/46348/token-based-authentication-under-http.

"Facebook uses an OAuth token passed as a cookie or HTTP header and protected by HTTPS."

How can I implement this as in that case the website will be http-based and only http-headers will be using https. Please correct me if I am wrong.

Community
  • 1
  • 1
Amit Kumar
  • 2,685
  • 2
  • 37
  • 72
  • Isn't the answer to that generally called end-to-end encryption (e.g. https ?) – GPI Oct 08 '15 at 18:31
  • 1
    https is more secure(no doubt) but the purpose of asking the question is to understand what risk http-only websites take when they choose to do token based authentication. – Amit Kumar Oct 08 '15 at 18:38
  • 1
    Well, if http-only, meaning no SSL, then you are in trouble :) http://security.stackexchange.com/questions/46348/token-based-authentication-under-http – GPI Oct 08 '15 at 19:16
  • 1
    That's a good link. Thanks! As rook mentioned "Facebook uses an OAuth token passed as a cookie or HTTP header and protected by HTTPS." How can I implement this? – Amit Kumar Oct 08 '15 at 19:34

1 Answers1

2

Your edit suggest a misunderstanding of what HTTPS does.

Normatively speaking, HTTP (meaning, the "language" that is spoken on the network, defined by https://www.ietf.org/rfc/rfc2616.txt) is a text based, "application level protocol", used over TCP sockets (TCP being the "transport level" layer).

In that sense, HTTP and HTTPS are the same "language", nothing differs in them. HTTP and HTTPS are both text based request/response protocols, each consisting of headers and an body, with requests specifying a verb such as GET, POST, PUT, ... No difference whatsoever.

What is different in HTTP vs. HTTPS, is that underneath this HTTP "language" (application level protocol), HTTPS uses TCP sockets that are encrypted using a SSL or TLS layer that provides encryption.

As the SSL/TLS layer happens under the HTTP layer, there can be no difference between what happens to the headers of a request and what happens to the body.

Back to your question :

How can I implement this as in that case the website will be http-based and only http-headers will be using https. Please correct me if I am wrong.

You can't have only the headers, and not the body using HTTPS in a single request/response cycle. It's all or nothing.

The conclusion is, as per the article you link to : token based authentication can only be secure if the token is always secured. Which, if you are always using HTTPS (in all request/response), is guaranteed (both the headers and the body are protected). If even one single request or response is not sent over HTTPS, then you have a flaw.

GPI
  • 9,088
  • 2
  • 31
  • 38