1

I'm trying to figure out how safe curl -u is to use with a real username and password. Investigating the header of such a request, it seems the user name and password are turned into some kind of hash.

In the example below, it seems jujuba:lalalala is being turned to anVqdWJhOmxhbGFsYWxh

Is this encryption or compression? Is it safe? How does the recipient decode this data? 

 curl -u jujuba:lalalala -i -X Get  http://localhost:80/api/resource -v

* timeout on name lookup is not supported
*   Trying 127.0.0.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'jujuba'
> Get /api/resource HTTP/1.1
> Host: localhost
> Authorization: Basic anVqdWJhOmxhbGFsYWxh
Jad S
  • 2,705
  • 6
  • 29
  • 49
  • 2
    Basic authentication just uses Base64 encoding for the header. It isn't secure at all unless the connection is encrypted (e.g. using HTTPS). – Shaun the Sheep May 11 '17 at 14:24
  • Is there any reason for doing this if it's not secure? It doesn't look particularly compressed. – Jad S May 11 '17 at 14:31
  • 1
    [RFC 2617, Section 2](https://tools.ietf.org/html/rfc2617#section-2) covers the specification of HTTP Basic Authentication; it's how clients create that hash, and how servers would handle it. – Castaglia May 11 '17 at 14:34
  • Ok so Base64 is used to ensure that the user:pass characters are all part of the ASCII character set, as per the answer [here](http://stackoverflow.com/a/26881570/2390362) – Jad S May 11 '17 at 14:37
  • @Castaglia - RFC 2617 has been obsoleted. The current specification for "Basic" is https://greenbytes.de/tech/webdav/rfc7617.html – Julian Reschke May 11 '17 at 15:57

1 Answers1

5

If you run the command:

echo anVqdWJhOmxhbGFsYWxh | base64 -d

You will get jujuba:lalala showing that the content is just Base-64 encoded, which is the standard for Basic authentication.

You should use HTTPS for any site that requires authentication.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100