Jump to content
  • 0

Security implications of sending plain text password for authentication.


coreyman

Question

Currently if you interact with the blesta API you have to send a plain text password to the API to become authorized - http://source-docs.blesta.com/class-Users.html

  • Anyone able to eavesdrop on the conversation will learn the client’s secret.
  • If the client is talking to the wrong server it reveals its secret to that potentially malicious server

Are we solely relying on TLS to keep the communication secret?

Link to comment
Share on other sites

1 answer to this question

Recommended Posts

  • 0

It's standard practice to use TLS over HTTP to secure payload transmissions. All API requests are expected to be made over HTTPS. The Blesta UI will also send plain-text passwords in POST requests from the browser to the server, just like every other web application.

Any time you are dealing with sensitive information, requests should be transmitted over HTTPS. This not only includes all API requests, but all requests through Blesta in general since any log-in data or cookies should be secure too.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...