0

I'm setting up a service which allows a single 3rd party to access a file over HTTPS. The only security mechanism the 3rd party supports is Basic Authentication.

To reduce complexity, I was going to host the file on S3. However, S3 does not support BA, so I would have to use Cloudfront with an Edge Lambda or API GW if I wanted to use BA - Not complicated, but adds additional moving parts.

This got me thinking: in a scenario where authorisation is binary (read or not read), what benefit is Basic Authentication over obscuring the filename using a suitably long (16-32 chars) random-like filename?

Edit: The point of the question is to question the old mantra of "security through obscurity is not security". The solution of randomising the filename could be considered at obscuring. So what is the threshold for security? Or perhaps, my proposal is not actually considered STO at all?

Alastair McCormack
  • 161
  • 6
  • I think you're confused about ```authentication``` vs ```authorization```. As the name states, Basic Authentication is an authentication mechanism and has nothing to do with authorization. – Jeroen Oct 13 '19 at 10:10
  • @Jeroen. Trust me, I know the difference - hence why I called out my authorisation requirement: read/not read and my single authenticated party. Plus, surely authentication facilitates authorisation?! – Alastair McCormack Oct 13 '19 at 10:19
  • You might want to investigate and possibly use the AWS S3 PRE-SIGNED URL functionality which will do what you need in a secure way. See: https://docs.aws.amazon.com/cli/latest/reference/s3/presign.html – jwh20 Oct 13 '19 at 11:21
  • @jwh20 AFAIK presigned URLs are only valid for up to 7 days which would not work for my usecase where continuous access is required. – Alastair McCormack Oct 13 '19 at 11:48
  • @AlastairMcCormack In that case you may want to look at AWS CloudFront signed-urls where you can specify an arbitrarily long expiration time. A bit more complex in setting up but in your use-case, you may not have another option. See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html – jwh20 Oct 13 '19 at 12:20

0 Answers0