There are a few issues with HTTP Basic Auth:
- The password is sent over the wire in base64 encoding (which can be easily converted to plaintext).
- The password is sent repeatedly, for each request. (Larger attack window)
- The password is cached by the webbrowser, at a minimum for the length of the window / process. (Can be silently reused by any other request to the server, e.g. CSRF).
- The password may be stored permanently in the browser, if the user requests. (Same as previous point, in addition might be stolen by another user on a shared machine).
Of those, using SSL only solves the first. And even with that, SSL only protects until the webserver – any internal routing, server logging, etc, will see the plaintext password.
So, as with anything it’s important to look at the whole picture.
Does HTTPS protect the password in transit? Yes.
Is that enough? Usually, no. (I want to say, always no – but it really depends on what your site is and how secure it needs to be.)
Try to think of it this way: When you are logging in to any website using SSL, you are most likely passing password in plain-text over HTTPS (for eg GMail).
The only difference that Basic-Auth makes is that username/password is passed in the request headers instead of the request body (GET/POST).
As such, using basic-auth+https is no less or more secure than a form based authentication over HTTPS.
Basic Auth over HTTPS is good, but it’s not completely safe. Similar to how Fiddler works for SSL debugging, a corporate HTTPS proxy is managing the connection between the web browser and the Proxy (whose IP address appears in your webserver logs). In that case the HTTPS password is decrypted, and later re-encrypted at the corporate proxy.
Depending on who is managing the proxy, and how its logs are used, this may be acceptable or a bad thing from your perspective.
For more information on how SSL interception is done, see this link:
When the SSL Proxy intercepts an SSL
connection, it presents an emulated
server certificate to the client
browser. The client browser issues a
security pop-up to the end-user
because the browser does not trust the
issuer used by the ProxySG. This
pop-up does not occur if the issuer
certificate used by SSL Proxy is
imported as a trusted root in the
client browser’s certificate store.
The ProxySG makes all configured
certificates available for download
via its management console. You can
ask end users to download the issuer
certificate through Internet Explorer
or Firefox and install it as a trusted
CA in their browser of choice. This
eliminates the certificate popup for
Some companies get around the certificate pop-up issue mentioned above by deploying the root certificates (of the Proxy) to each workstation via GPO. Although this will only affect software that uses the Microsoft Certificate store. Software such as Firefox needs to be updated differently.