| What an idiotic article. > The server simply uses base64 to decode the Authorization header to retrieve the given username and password to authenticate against. The encoding had fuck all to do with security. > The HTTP protocol unlike its sibling HTTPS is not encrypted. So it means that everyone on internet can see what you send. No, that's not how it works at all. I have to be somewhere in between you and the server to see what you're transmitting in plain text. I can't just read random fucking data from Joe Bloggs. > It means that all of our HTTP calls are open to any malicious hacker sitting in between us and the server Oh ok, you know that. So why sensationalize your previous point? > I did have to stick my credentials in the Authorization header when I made the request. You're missing the point, if it's unencrypted it doesn't matter where the data is. |
But at this point, having seen thousands of customers use Basic auth over HTTP, I don't actually care how sensationalized the article is. If it gets people to stop doing it, I'm all for it. We can explain the nuances later.
Frankly, the nuances of /why/ it's bad are somewhat less important than just knowing it's bad. This isn't true for all cases, but I would argue is true for what is probably one of the most common issues we see.