Information Security Stack Exchange
The password is sent over the wire in plaintext.
The password is sent repeatedlpatagonia better sweater for womeny, for each request. (patagonia better sweater xlLarger attack window)
The password is cached by the webbrowser, at a minimum for the length of the window / process. CSRF).
The password may be stored permanently in the browser, if the user requpatagonia better sweater full-zip hoodyestpatagonia better sweater hats. (Same as previous point, in addition might be stolen by another user on a shared machine).
Of those, using SSL only solves the first. And even with that, SSL only protects until the webserver any internal routing, server logging, etc, will see the plaintext password.
So, as with anything its important to look at the whole picture.
Does HTTPS protect the password in tracheap patagonia jackets sale0nsit? Yes.
Is that enough? Usually, no. (I want to say, always no but it really cheap patagonia jackets sale3depends on what your site is and how secure it needs to be.)
You note the need for authenticating the client and ask about the security of HTTP patagonia r1 bz full tallbasic auth, over SSL. This is what SSL was designed for and will patagonia south america real estate for salework fine so long as the password is a good one. 12 characters using a good source of randomness, or other techniques discussed at this site.
Your clienwomens patagonia peak sneak shoes size 9 med new in the boxt also acheap patagonia jackets salelso does need to ensure that you have cheap patagonia jackets sale2the right cert for the server. In the situation like what you describe, using a self signed cert as described at the python ssl page referenced will be fine. I can see any way that hashing something preliminarily before sending it serverside could decrease security, even if serverside further hashes it before storing it. I would be tempted to use SSL/TLS auth instead (modern browsers allow 2 way autcheap patagonia jackets sale1h with websites using key auth), especially for a page that is not meant to be viewed by regular users. This depends a lot on your use case, patagonia everlong review uberthough, and is probably difficult with your Python webserver.
Chris Kuepatagonia everlong review 7ziphl
Jul 14 12 at 17:08
Basic Auth over HTTPS is good, but it s not completely safe. Similar to how Fiddler works for SSL debugging, a corporate HTTPS proxy is managing the connection between the web browser and the Proxy (whose IP address appears in your webserver logs). In that case the HTTPS password is decrypted, and later re encrypted at the corporate proxy.
Depending on who is managing the proxy, and how its logs are used, this may be acceptable or a bad thing from your perspective.
