Web Access. Basic Authentication vs HTTP form-based login

jlbrown
jlbrown
in SecuritySpy

Hi Ben, thanks for your excellent work on SS - have switched to M1 Ultra Mac Studio and it is fantastic with 50 cameras.

Our recent external Security Assessment (Penetration Test) pointed out that SS (and another web server we use) are using basic authentication.

Excerpt:

More Vulnerability Details

▪ The username and password are sent in every request. Although they are encoded with Base64, this does not add any security since they can be decoded easily.

▪ Most configurations of Basic Authentication do not implement protection against password brute forcing. For external-facing systems, this may pose a heightened risk as anyone on the internet can attempt to brute force passwords for weeks, months, or years.

▪ Logout functionality is also not supported. Although there are workarounds for this, they are not supported by all browsers.

▪ Passwords cannot be easily reset. If a user loses their credentials, they should be able to reset their password immediately. This is not possible in most basic authentication implementations.


More information can be found here:

https://www.virtuesecurity.com/kb/pentesting-basic-authentication/

I've definitely seen the lack of logout - I just go to our site and I'm in. Even if I click on 'Log out'.

Their recommendation:

▪ Remove basic authentication and implement HTTP form based login 

▪ Implement brute force lockout policy for invalid login attempts

I know you have put in a brute force lockout (can't remember the details and they are not mentioned in the Preferences/Web pane).

What are your thoughts on switching to form-based login?

Thanks, James.

Comments

  • jlbrown
    jlbrown

    It would make it possible to implement One-Time Passwords, I think.

  • Ben
    Ben
    edited August 2022

    I understand the reasons for these concerns, however we are reluctant to change the web server authentication system at this time, because many users and other developers have built systems/applications around the current implementation. My further comments would be as follows:

    • Yes, authentication is sent with every new request. However this isn't significantly less secure than authentication being sent once at the beginning of the session. The main thing that determines whether you are really secure in both cases is if you are using an HTTPS connection rather than a plaintext HTTP connection.
    • Over an HTTPS connection, everything is encrypted, so it's not possible for someone intercepting the data to extract the username/password, even with basic authentication. We recommend that our users always use HTTPS for connections over the Internet.
    • SecuritySpy does have protections agains brute forcing. If a client makes multiple incorrect login attempts, SecuritySpy will first start to delay its responses, and then will temporarily block the client. This makes brute forcing the username/password impossible for any reasonably strong password. To help with this, we recommend users always use strong passwords.
    • Lack of an official logout mechanism is unfortunate - there really should be a standard for this for basic authentication but there isn't. However, SecuritySpy does implement this in Safari, which is the browser that most of our users use. What browser are you using?
  • jlbrown
    jlbrown

    Thanks for your detailed reply Ben, and I see your points.

    Perhaps it could be an option, like it is not to allow HTTP?

    Re logout, yes, I'm using Safari on Mac. I click on the Log Out button and it says I've been logged out. However going to the website will log me straight in. No box to authenticate drops down. Maybe it is Apple's new security feature?

  • Ben
    Ben

    Hi @jlbrown I believe the logout function will only work if you haven't asked Safari previously to remember the password, in the login screen that pops up. Once Safari remembers the password it will just work to log in without any further security prompt in the future.

    I agree that this isn't an ideal situation, we'll see what we can do in terms of a token-based login system in the future.

  • jaharmi
    jaharmi

    If this were an audit finding for the OP, the OP may have little to no recourse regarding the authentication.

    In that case, perhaps putting SecuritySpy Web behind a reverse proxy that supports other forms of authentication (with the Basic Auth only between the proxy and SSW) would be do-able and an acceptable solution.

Categories