What are the advantages and disadvantages of basic HTTP authentication?

Question

What are the advantages and disadvantages of basic HTTP authentication?

I created a REST API that uses Basic HTTP authentication. Is limited to SSL only. Now that this is implemented, I hear criticism that basic HTTP over SSL is not secure. It would be detrimental for the project that I “stop the press,” and that would be outside the purview of some of my clients using OAuth, etc. I need to understand the risks and benefits of these methods. Any examples of big names using Basic HTTP auth will also be useful as support.

+6

authentication rest restful-authentication basic-authentication

Jamey McElveen Jul 26 '11 at 12:11

source share

2 answers

Perhaps I was misleading, but I do not see a problem with SSL only BASIC ... esp. not using stateless APIs.
If callers are forced to use a proxy server with SSL support, then BASIC means that the password is available in cleartext for the proxy server ... in this particular case, Digest will be better (even with SSL), because the proxy server will not know the password (digest means answering a call ...).

+2

Yahia Jul 26 '11 at 12:17

source share

Marcelo cantos · Accepted Answer · 2011-07-26T12:16:14+0000

Basic HTTP authentication over SSL is basically secure, with reservations. Security problems mainly arise from using Basic auth without SSL, in which case the username and password are exposed to MITM . The browser also has issues with expiring permissions, but this is not so much for REST services.

What are the advantages and disadvantages of basic HTTP authentication?

More articles: