HTTPS and BASIC authentication

Question

When I use HTTP BASIC authentication along with HTTPS, are the username and password securely passed to the server?

I would be happy if you can help me with some references.

I mean, it would be great if I can cite StackOverflow Q&A as a reference in, say, assignments, reports, exams, or even in a technical paper. But I think I am not there yet.

My other question has very good answers that also answer this question: http://stackoverflow.com/questions/3563957/https-url-path-and-query-string — Afriza N. Arief, May 01 '12 at 16:17

score 27 · Accepted Answer · answered Aug 12 '10 at 03:06

27

yes. if you're using https the conversation with the web server is entirely encrypted.

answered Aug 12 '10 at 03:06

Don Dickinson

6,200
3
35
30

6

+1. Even the fact that Basic Auth is taking place cannot be established from the outside. – Thilo Aug 12 '10 at 04:33
@Thilo: Thank you; Can you help me with some references? – Afriza N. Arief Aug 12 '10 at 17:50
3

[Stripe](https://stripe.com/docs/api#authentication) does it like this (and they process credit card transactions). – greatwitenorth Jun 14 '13 at 15:25

Alam · Answer 2 · 2011-08-24T05:17:34.063

4

HTTP Basic Authentication and HTTPS both are different concepts.

In HTTP Basic Authentication username and password are sent in clear text (In HTTP Digest Authorization password is sent in base64 encoded using MD5 algorithm)
Whereas HTTPS is completely different functionality, here complete message is encrypted based on keys and SSL certificate.

Please Note: There is difference between authorization and security. HTTP Basic authorization is an authorization concept it is not security

YES. In your case the HTTP message with username and password will be encrypted and then sent to the server.

edited Aug 24 '11 at 05:17

answered Aug 12 '10 at 03:46

Alam

1,536
15
26

4

It's HTTP Basic authentication, not authorization, which is yet another concept. – Bruno Aug 12 '10 at 13:21
By authorization I mean "401 Unauthorized" header as per RFC 2617. Sorry for creating confusion – Alam Aug 12 '10 at 17:32
1

It is also worth to mention, that HTTPS also provides ways for authentication (certificate based log-in), not only encryption – HTTP Basic authentication may be not needed there. – Jacek Konieczny Aug 25 '10 at 08:34
Also, Authentication & Authorization are two different concepts. – SoftwareGeek Aug 20 '11 at 01:51

score 3 · Answer 3 · answered Aug 12 '10 at 03:52

3

Yes, they are passed securely... if a hacker can decrypt your https transaction he can for sure decrypt the base64 user:password...

I know the more rocks you put the harder it takes... but base64 is not for security reasons

answered Aug 12 '10 at 03:52

Garis M Suero

7,974
7
45
68

Could you please state how you jumped from HTTP BASIC authentication to base64? – Daren Thomas Aug 25 '10 at 08:44
5

Basic Authentication passwords are base64 encoded. These strings are later encrypted by SSL. – bnieland Jun 07 '11 at 11:57

score 0 · Answer 4 · answered Apr 21 '11 at 22:07

If a tool like Fiddler is installed on your local system, it could be used to forward your https transmissions decrypted to a third party. If someone sets it up to do this, they already own your system (either have physical access or full/root access).

HTTPS and BASIC authentication

4 Answers4

Linked