Python Scripts to logon to websites

Mike Meyer mwm at mired.org
Thu Jan 12 01:35:10 CET 2006


Peter Hansen <peter at engcorp.com> writes:
> By the way, note that neither basic auth nor digest auth provide any
> real security, and in fact with basic auth the userid and password are
> sent *in cleartext*.  For any serious production site these techniques
> should probably not be used without additional security measures in
> place, such as HTTPS encryption.

To be clear, the HTTP authentication schemes don't provide any
security for the *content* that gets passed back and forth, and they
don't claim to. If someone can intercept that content, they can read
it. For some applications, this is really important. For others, it
doesn't matter at all.

Basic auth doesn't (quite) pass the user name and password in
cleartext. It uses rot-13. For all the protection it provides, it
might as well be cleartext.

Digest passes around md5 sums of varous bits and pieces. While md5 has
been compromised, I don't believe that's happened in a way that
compromises the security of digest auth. The password and username
that pass over the wire are about as secure as they're going to get
without noticably heavier mechanisms than digest auth requires. On the
downside, the server has to have the clear text password available.

         <mike
-- 
Mike Meyer <mwm at mired.org> http://www.mired.org/home/mwm/ Independent
WWW/Perforce/FreeBSD/Unix consultant, email for more information.



More information about the Python-list mailing list