Python Scripts to logon to websites

Paul Rubin http
Thu Jan 12 08:26:58 CET 2006


Mike Meyer <mwm at mired.org> writes:
> Only if the userid and password are part of the content. If you're
> doing the usual form-based authentication, then they are. If you're
> doing an HTTP-based authentication, then they aren't - the
> authentication information is in the headers, and can be protected
> however the protocol designers want it to be.

Well, HTTP Basic and HTTP Digest authentication both send the userid
in the clear.  Basic also sends the password in the clear, while
Digest sends a hash of the (salted) password in the clear.  Digest is
better than Basic, but since the attacker can see both the salt and
the password hash, he can still run a dictionary attack.  Therefore,
using form-based authentication over SSL is more secure than using
HTTP Digest without SSL.  (Special tip from Paranoid Pete: have the
downloaded page include some javascript that inserts some padding
chars into a hidden form field, making the form post have constant
length and thereby prevent leaking the password length).

> Most of the people building systems that require passwords on the web
> are too ignorant of security issues for me to trust anything crucial
> to them. I don't bank online, because the banking systems I've looked
> at don't meet *my* minimal requirements for security.

Worse than that, the user agreements typically make security failures
the customer's problem even if they're the bank's fault.

> Back when I was dealing with this on a regular basis, the major
> browser and server vendors were all pushing encrypted session
> mechanisms of various kinds. Given that, a secure authentication
> mechanism is a waste of time, and would provide competition for their
> product in some application domains. So those vendors typically didn't
> implement digest authentication. This sucked if you were exchanging
> content that didn't need security, but wanted to authenticate
> identity.

I don't have the impression that it was that nefarious.  It took a
while for the standards for both encryption and digest authentication
to settle.  By the time digest authentication was ready for prime
time, SSL was also widely deployed, and anyone doing anything serious
used SSL.  So digest authentication was simply not needed.  



More information about the Python-list mailing list