Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
Heretic Man2021-12-28 13:41:10
Information Security
Heretic Man, 2021-12-28 13:41:10

Is it safe/correct to pass the login and password in the header over the HTTPS protocol?

Request example:
curl -H "username: user" -H " password:12345 " https://mysite.com

Another question is whether it is possible to intercept these headers by listening to traffic.
I would like to get a detailed answer about the security of this approach.

I know about OAUTH and tokens.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
V
Vladimir Dubrovin, 2021-12-28
@z3apa3a

Never fence self-made cryptography and authorization methods, if you are not a cryptographer and not an appsec specialist, respectively, use standard approaches and proven libraries. In your case, you need to use HTTP basic authorization and the standard mechanisms that implement it.

Report
V
Vitaly Karasik, 2021-12-28
@vitaly_il1

The answer is yes, right. All web services do this - Google, FB, and 99% of the rest.
This is not ideal, so they try to supplement with an MFA (additional one-time password) or a certificate, but in general there is nothing more reliable and easy to use .

Report
A
AlexVWill, 2021-12-28
@AlexVWill

is not safe and not correct, and the point is not that all HTTPS headers are encrypted, it’s just that according to security rules, you don’t need to transfer the password at all, you need to transfer its hash sum, so the server will know that the password is correct, but the password itself will not be known either anyone other than the author

Report
A
Alex, 2022-01-15
@asilonos

In short: Safe and so far the standard approach. Yes, you can intercept the password, and depending on the browser, the user will not know that his SSL / TLS "reads" something in the middle.
If Expanded, then it is now in fashion to use a different approach - on the browser side, using JScript / Subtle crypt, generate a hash / PBKDF from the password and transfer it to the server. The server, in turn, must also generate a secondary hash from this value, and it can already be stored / searched in the database for user authentication. And there is no way to store the primary hash on the server! but it can be used for other purposes, such as de-encrypting data for the 2FA method.
And since your front will already use JScript/Subtle crypt, this opens up additional possibilities for end-to-end encryption of a wider set of user data in end-to-end encryption mode.
see how the mega.nz service is made. they have open source.

Report
D
Defman21, 2015-08-30
@Defman21

First, the regex itself is a curve.
Secondly:

preg_match('/window\.runParams\.imageBigViewURL=\[\s*(.+?)\s*\]/isu', $page, $matches);

Report
V
vista1x, 2015-08-30
@vista1x

1. We are looking for a block with photos - https://regex101.com/r/bP4bJ0/1
2. We pull out links from the found one - https://regex101.com/r/kR2yQ8/1
I did not manage to do all this with one expression. Maybe regular season gurus will come up with something better.

Similar questions
M
Mikhail Petrov2015-01-13 16:54:07
What literature do you recommend on the topic of crypto? 3Reply
A
akakarar2017-01-15 16:17:26
Is it possible to somehow calculate the exact location of a person by ip address? 1Reply
G
Gudsaf2017-01-16 11:01:18
What are the tools for analyzing user search queries (worldwide)? 2Reply
V
Viktor2015-01-18 21:50:06
Momentary drop in VPN connection - how to deal with it? 2Reply
I
IvanIF2021-01-30 16:28:08
Why is permission 777 for a folder on the server dangerous? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question