aspose file tools*
The moose likes Security and the fly likes is PasswordAuthentication secure? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "is PasswordAuthentication secure?" Watch "is PasswordAuthentication secure?" New topic
Author

is PasswordAuthentication secure?

Chuck Barnes
Ranch Hand

Joined: Aug 10, 2010
Posts: 37
I have an app that downloads a file based on a URL(HTTPS). That server needs HTML auth to gain access. It works just fine but I'm wondering how secure it is.

code snip it.



Does it use some kind of encryption?

Does it need encryption? Since it's simulating the user typing in his or her password manually in the prompt from the browser.

I started wondering when I came across this lib.
Jasypt


Thanks
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Are you asking about HTML's "basic auth" setup with userid and password?
It does not necessarily use any encryption at all, it is used to give user-specific access to a web page, servlet, etc.

You can combine "basic auth" with SSL/TLS, with a HTTPS: connection, which uses the certificate system of TLS, and over the link encryption.
This makes it more of a challenge to mess with. Without HTTPS, there is very little security, as the password is sent in the clear.

But your fundamental question can't be answered. Security is not binary. Its all a grayscale. You decide how worried you are about which set of possible attacks, and design for that.
Chuck Barnes
Ranch Hand

Joined: Aug 10, 2010
Posts: 37
Pat Farrell wrote:Are you asking about HTML's "basic auth" setup with userid and password?
It does not necessarily use any encryption at all, it is used to give user-specific access to a web page, servlet, etc.

You can combine "basic auth" with SSL/TLS, with a HTTPS: connection, which uses the certificate system of TLS, and over the link encryption.
This makes it more of a challenge to mess with. Without HTTPS, there is very little security, as the password is sent in the clear.

But your fundamental question can't be answered. Security is not binary. Its all a grayscale. You decide how worried you are about which set of possible attacks, and design for that.


Lol, you made me realize I may have answered my own question. I guess I figured it IS 'secure' because the connection is using SSL, so you confirmed that.
Since it is SSL the password, even though it is basic scheme, is still encrypted.

So I am 'worried' about being less secure than a user manually downloading the file with a browser.

I think I'm ok in that regard.

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Chuck Barnes wrote:So I am 'worried' about being less secure than a user manually downloading the file with a browser.

I'm not sure what part of downloading a file you are concerned about. From the server point of view, its got the file, and letting someone download the file is what a webserver does. HTML page, image, Excel spreadsheet, doesn't matter, they are all just files.

Usual practice is to use Basic Auth with SSL/TLS and declare victory.

From the client view, you have to make a number of leaps of faith that the server is who you think it is, that the file is what you think it is. TLS does a fairly weak job of addressing this, as the whole certificate schema is weak and nearly useless.
Maarten Bodewes
Greenhorn

Joined: Aug 04, 2011
Posts: 14
Pat Farrell wrote:
Chuck Barnes wrote:So I am 'worried' about being less secure than a user manually downloading the file with a browser.

I'm not sure what part of downloading a file you are concerned about. From the server point of view, its got the file, and letting someone download the file is what a webserver does. HTML page, image, Excel spreadsheet, doesn't matter, they are all just files.

Usual practice is to use Basic Auth with SSL/TLS and declare victory.

From the client view, you have to make a number of leaps of faith that the server is who you think it is, that the file is what you think it is. TLS does a fairly weak job of addressing this, as the whole certificate schema is weak and nearly useless.


So the trick is to only to allow certain certificates. If you know when these certificates get refreshed, you could simply trust only that certificate (or that specific CA, and it's certificate status). Of course, if you go this way, it makes sense to test the connection now and then, or your users are stuck with no SSL connection.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: is PasswordAuthentication secure?