In Securing an API: SSL & HTTP Basic Authentication vs Signature HTTP Basic Authentication is cited as an adequate way to secure REST web service calls if the REST calls are made through SSL. But it seems this method will still not work for an unsecured client page that uses Ajax to make calls to the REST service that is protected behind SSL & Basic Auth. I am trying to design an application that performs password reset using the usual way: user enters username and requests "reset password" email user receives email with a password reset link that includes a verifiable token user clicks on the link and (after the token is verified) types in their updated password By definition these pages do not require login. Can this UI be implemented using Ajax that calls REST services to do things like validate token, send email, etc.? Even if those REST services are protected behind SSL & Basic Auth, the information that you need to call the service (i.e. the application's "username" and password) will be at best in cookies which would be accessible through the browser. I know I am missing something. I just don't know what :-)

Reputation: 1040

REST service through SSL and HTTP Basic Authentication

In Securing an API: SSL & HTTP Basic Authentication vs Signature HTTP Basic Authentication is cited as an adequate way to secure REST web service calls if the REST calls are made through SSL.

But it seems this method will still not work for an unsecured client page that uses Ajax to make calls to the REST service that is protected behind SSL & Basic Auth.

I am trying to design an application that performs password reset using the usual way:

user enters username and requests "reset password" email
user receives email with a password reset link that includes a verifiable token
user clicks on the link and (after the token is verified) types in their updated password

By definition these pages do not require login. Can this UI be implemented using Ajax that calls REST services to do things like validate token, send email, etc.? Even if those REST services are protected behind SSL & Basic Auth, the information that you need to call the service (i.e. the application's "username" and password) will be at best in cookies which would be accessible through the browser.

I know I am missing something. I just don't know what :-)

Upvotes: 1

Answers (2)

bryanmac

Reputation: 39296

As long as 1 - 3 happen under SSL, the data will be safe over the wire to the server (assuming you trust the certificate authority)

During that process, the browser will hold those credentials in memory. You have no choice but to trust that if the user is going to enter the data.

It is the web sites code that determines whether to store info in cookies.

I think you should be OK if 1 - 3 are under SSL.

Upvotes: 1

Ram

Reputation: 327

I've no idea what you're protecting so I'l just toss some thoughts out.

SSL and TLS are not meaningful if you (or someone else who gives a hoot) aren't in control of the root list of the relying party. I say this because I expect that if you don't trust the guy with the key to the lock then you won't put your money in his vault. So if the users loading the login pages are in the wild so to speak then user/pass through TLS is a low bar, definitely good enough for protecting my favorite movies list.

Carby praises to the all being FSM

Upvotes: 0

REST service through SSL and HTTP Basic Authentication

Answers (2)

Related Questions