On Sun, Aug 22, 2021 at 4:55 AM Martin Di Paola <martinp.dipa...@gmail.com> wrote: > > While it is correct to say that Basic Auth without HTTPS is absolutely > insecure, using Basic Auth *and* HTTPS is not secure either. > > Well, the definition of "secure" depends of your threat model.
Yes. Which makes statements like "not secure" rather suspect :) > HTTPS ensures encryption so the content, including the Basic Auth > username and password, is secret for any external observer. > > But it is *not* secret for the receiver (the server): if it was > compromised an adversary will have access to your password. It is much > easier to print a captured password than cracking the hashes. > > Other authentication mechanisms exist, like OAuth, which are more > "secure". If your server is compromised in that way, *all is lost*. If an attacker is actually running code on your server, listening to your sockets, after everything's decrypted, then *shut that server down*. I don't think there is ANY security model that can handle this - if you're using OAuth, and the server is compromised, then your client ID and client secret are just as visible to the attacker as passwords would be. ChrisA -- https://mail.python.org/mailman/listinfo/python-list