undefined | Better HN

0 pointstptacek8y ago0 comments

You need transport encryption no matter what, not just for REST APIs. I'm just addressing the app design concerns.

0 comments

Is it not true that Basic Authentication requires TLS due to transporting credentials as plain text but other variations encrypt the credentials at a higher level before being put on the wire? In that case why is TLS a necessity?

riquito8y ago

It's necessary because otherwise the encrypted credentials could be copied and used to access the service.

yebyen8y ago

It's not a given that something like Diffie-Helman shared secret is going to put the actual secret on the wire during authentication, or that smart auth strategies similar to this one that don't directly transmit secrets are always going to be susceptible to replay attacks.

(I am a dog on the internet, so don't listen to me. I also heard that the best way to get a really good answer is not just to ask any old question, but to give a wrong answer...)

1 more reply

j / k navigate · click thread line to collapse