Should I combine Basic authentication with a Secure Sockets Layer (SSL) tunnel to protect user credentials that are sent across an HTTP connection?

When you use Basic authentication, the credential information that travels between the Web browser and the server isn't secured; it's just base64 encoded. Intruders can easily decode base64; for a demonstration, you can use an online base64-decoder tool. You can find a good example of such a tool at http://www.robertgraham.com/tools/base64coder.html. Go to the URL, enter the Basic authentication string

ZG9tYWluXHVzZXJuYW1lOnBhc3N3b3Jk

into the decoder, and click Decode.

Because decoding base64 is so easy, I recommend that you use SSL to secure HTTP traffic. To use SSL, you'll need to set up certificates on the Web server and, optionally, on the client. SSL uses these certificates to provide the following security services:

  • Server authentication—SSL uses X.509 server certificates to authenticate the Web server.
  • Data confidentiality and integrity services—SSL always provides channel-encryption services.
  • Optional client authentication—SSL uses X.509 client certificates to authenticate clients.