Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

[Bil Corry <bil@xxxxxxxxx>]

James Landis wrote on 6/16/2008 12:16 PM: 
> I assume the original poster meant HTTP Basic auth when he said that
> the username/password was included in a header. One of the main
> problems with this scheme is that the raw username and password are
> sent with EVERY request to the site.

Internet Explorer and Firefox send the HTTP Auth header on every request (after logging in).  It's optional to do so (per the RFC) and presumably they do it to reduce network traffic and quicker page load.  Not sending it means having the site prompt for it, then sending the request again, which comes out to two hits per page.

Safari, on the other hand, will only send the HTTP Auth header when prompted for it.  Not sure why Apple choose to make it chatty, but perhaps there is a slight increase in security doing it that way, where the username and password are provided only when absolutely needed.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA