1

I'm developing an API which is planned to use simple user and password authentication mode. I have experience with HTTP requests and tended to think everything as HTTP request.

As user name and password should never be exposed, would a cURL request hide authentication info or it would appear as any other post value at Fiddler or Chrome's network monitor?

Fabiano
  • 13
  • 2

1 Answers1

1

There's a couple of pieces to this.

If you are connecting to your API over an unencrypted connection then the username/password and everything else will be visible to people who can sniff the traffic. Things like HTTP Digest authentication will make things a bit more difficult but ultimately there's still a vulnerability there. If (for whatever reason) you can't use SSL HTTP Digest is better than HTTP basic.

Assuming you set-up SSL to protect information in transit, the visibility of creds will depend on how you configure things.

If you set your proxy up to be something like fiddler and you set it to intercept SSL connections, then when the data passes fiddler it will be visible there, otherwise it should not be visible.

One thing to note in all this is that it shouldn't matter what client-side tool you're using here (cURL/wget/a browser) the security is configured on the server-side.

Rory McCune
  • 62,266
  • 14
  • 146
  • 222
  • Thank you for your answer! I'll look up for what is possible with server. – Fabiano Feb 13 '14 at 11:21
  • "things like HTTP Basic or Digest auth will make things a bit more difficult" is this really true? If http basic is sent unencrypted, what makes it a bit more difficult? – Ben Whaley Aug 13 '15 at 04:05
  • yeah I was intending to suggest that Digest is better than basic, but that isn't really clear, I'll edit, ta. – Rory McCune Aug 13 '15 at 07:41