1

I'm trying to figure out how safe curl -u is to use with a real username and password. Investigating the header of such a request, it seems the user name and password are turned into some kind of hash.

In the example below, it seems jujuba:lalalala is being turned to anVqdWJhOmxhbGFsYWxh

Is this encryption or compression? Is it safe? How does the recipient decode this data? 

 curl -u jujuba:lalalala -i -X Get http://localhost:80/api/resource -v * timeout on name lookup is not supported * Trying 127.0.0.1... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to localhost (127.0.0.1) port 80 (#0) * Server auth using Basic with user 'jujuba' > Get /api/resource HTTP/1.1 > Host: localhost > Authorization: Basic anVqdWJhOmxhbGFsYWxh
Improve this question
5
  • 2
    Basic authentication just uses Base64 encoding for the header. It isn't secure at all unless the connection is encrypted (e.g. using HTTPS). Commented May 11, 2017 at 14:24
  • Is there any reason for doing this if it's not secure? It doesn't look particularly compressed. Commented May 11, 2017 at 14:31
  • 1
    RFC 2617, Section 2 covers the specification of HTTP Basic Authentication; it's how clients create that hash, and how servers would handle it. Commented May 11, 2017 at 14:34
  • Ok so Base64 is used to ensure that the user:pass characters are all part of the ASCII character set, as per the answer here Commented May 11, 2017 at 14:37
  • @Castaglia - RFC 2617 has been obsoleted. The current specification for "Basic" is greenbytes.de/tech/webdav/rfc7617.html Commented May 11, 2017 at 15:57

1 Answer 1

Reset to default
5

If you run the command:

echo anVqdWJhOmxhbGFsYWxh | base64 -d

You will get jujuba:lalala showing that the content is just Base-64 encoded, which is the standard for Basic authentication.

You should use HTTPS for any site that requires authentication.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Indeed. See the specification: greenbytes.de/tech/webdav/rfc7617.html#rfc.section.4.p.3

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.