When I use HTTP BASIC authentication along with HTTPS, are the username and password securely passed to the server?
I would be happy if you can help me with some references.
I mean, it would be great if I can cite StackOverflow Q&A as a reference in, say, assignments, reports, exams, or even in a technical paper. But I think I am not there yet.
yes. if you're using https the conversation with the web server is entirely encrypted.
Yes, they are passed securely... if a hacker can decrypt your https transaction he can for sure decrypt the base64 user:password...
I know the more rocks you put the harder it takes... but base64 is not for security reasons
HTTP Basic Authentication and HTTPS both are different concepts.
- In HTTP Basic Authentication username and password are sent in clear text (In HTTP Digest Authorization password is sent in base64 encoded using MD5 algorithm)
- Whereas HTTPS is completely different functionality, here complete message is encrypted based on keys and SSL certificate.
Please Note: There is difference between authorization and security. HTTP Basic authorization is an authorization concept it is not security
YES. In your case the HTTP message with username and password will be encrypted and then sent to the server.
If a tool like Fiddler is installed on your local system, it could be used to forward your https transmissions decrypted to a third party. If someone sets it up to do this, they already own your system (either have physical access or full/root access).
来源:https://stackoverflow.com/questions/3464454/https-and-basic-authentication