I have WebSVN, Gitlab and phpMyAdmin hosted on my dev server. Now, all of it, I password protect the pages (not their individual login) using HTTP Basic Auth, is this the best practice that I can do?
Asked
Active
Viewed 1,419 times
1 Answers
7
If you aren't using HTTPS then this information could easily be picked up by anyone sitting between you and your server and reused. If you are using SSL/HTTPS to encrypt the link, then you should be fine.
AJ Henderson
- 41,816
- 5
- 63
- 110
-
What if I don't have SSL/HTTPS? Do I have alternative? – Leandro Garcia Jun 17 '13 at 17:18
-
1@LeandroGarcia - not really. It's completely insecure if it is connecting over a network you don't have complete control over. If it was only being used internally on your network, you should probably be ok as long as you know there are no rogue devices, but it's very risky. There are various login methods that can encrypt the password exchange alone, but without SSL to verify the server is legit, someone could still get in between you and the server and spoof the login to get your credentials. – AJ Henderson Jun 17 '13 at 17:23
-
2@LeandroGarcia - note that you don't need a commercial SSL certificate. You could make a self-signed certificate and simply add it to your computer's trusted certificates and it would work for protecting your login. It wouldn't work well for a public site as people would be suspicious of it, but for your own use, it's fine and free. – AJ Henderson Jun 17 '13 at 17:25
-
Hmm, if that is the case, may I ask how do you protect subdomains or domains that contains some things not meant to be public but must be place there? – Leandro Garcia Jun 17 '13 at 17:26
-
@LeandroGarcia - HTTPS with whatever authentication you want or something like SFTP. No authentication of a client can be secure unless you first validate the server is authentic. – AJ Henderson Jun 17 '13 at 17:55