Subsonic Forum

[piethein]

I have noticed the Android client uses plaintext/hex-excoded credentials in the url, is it possible to change this to basic authentication?

[hakko]

I totally agree that plain text credentials is a security flaw, but basic authentication is just as bad? It's only base64.

[piethein]

To access subsonic I proxy it through Apache on a ssl connection, not having credentials in the URL would have some advantages for my server's logs and possibly for browser histories.

Without ssl (or other method (IPSec...)) to encrypt the connection only some secure kind of key exchange (Diffie-Hellman f.e.) could prevent simple attacks on the credentials. Using a hash+salt for the credentials could prevent their plaintext base from being exposed better than hex/base64-encoded plaintext of course.

[jol]

Imho credentials on the URL are a no-go, basic authentication with SSL is totally fine, especially for REST like calls. If you want to protect credentials without SSL, one can use SCRAM or similar, but you need to be aware it protects only the password, any other communication is unprotected.
Best regards, jol

[piethein]

As Subsonic supports http basic authentication (for quite some time now) I am surprised to see the Android client still uses the mechanism to supply the credentials via the URL.