Reputation: 6293
PLAIN authentication over SSL/TLS
If I'm connecting to a mail server over SSL or TLS but using PLAIN authentication, is that secure?
Upvotes: 2
Views: 5703
Answers (2)
Reputation: 7234
Ryan is absolutely right if you are sure if you will never use your application without SSL. SSL is at the presentation layer and whenever a socket connection is established, SSL handshake is the first thing that happens which includes host verification, exchange of session keys and creating a secure transport layer. Communication at the application layer happens once this secure channel is established and the data that is exchanged is encrypted using the session keys and hence the communication is anyways secure.
However, if your application has an option to work with/without SSL then you should be encrypting your password separately. While working over SSL, this would be redundant but otherwise it is necessary.
Upvotes: 2
Reputation: 14804
Since the SSL/TLS connection is already encrypted, sending the password as PLAIN text doesn't hurt anything. You could encrypt the password as well, but then you're just double encrypting it. In most cases, I would consider that superfluous.
One case I can think of where you would use something other than PLAIN over SSL/TLS is if you choose to authenticate with certificates instead of passwords. Otherwise, I'd leave it at PLAIN.
Upvotes: 14
Related Questions
- Is it possible to have a secure, restful authentication without SSL?
- HTTP Basic Authentication instead of TLS client certification
- HTTP basic authentication over SSL for REST API
- use BASIC authentication with client certificate authentication
- Securing password authentication without SSL
- HTTPS and BASIC authentication
- SSL advantages worth the hassle?
- Authenticating a user over HTTP (instead of HTTPS)
- Is basic auth with SSL secure enough?
- Secure authentication without SSL