Created On:  13 October 2011


When clicking on a StarTeam link in the result set in Borland Search Server, there is a warning that implies that the credentials are being sent in an un-encrypted format.


Borland Search Server (BSS) uses "basic access authentication" via the HTTP "Authentication" header.

Before transmission, the user name is appended with a colon and concatenated with the password. The resulting string is encoded using the Base64 algorithm. For example, given the user name 'Aladdin' and password 'open sesame', the string 'Aladdin:open sesame' is Base64 encoded, resulting in QWxhZGRpbjpvcGVuIHNlc2FtZQ=='.

The Base64-encoded string is transmitted and decoded by the receiver, resulting in the colon-separated user name and password string.

While encoding the user name and password with the Base64 algorithm makes them unreadable to the unaided eye, they are as easily decoded as they are encoded.

Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

If SSL is not used, then the credentials are passed as plain text and could be intercepted. Basic authentication across an SSL connection will be secure, since everything will be encrypted, including the username and password.
Incident #2531523