Monday, January 28, 2008

base64-encrypt()

http://www.kb.cert.org/vuls/id/180876

Base64 encoding is just that: encoding. It's a way to ensure that text with strange characters can be sent on the wire in an unambiguous, portable manner. It is not, and was never meant to be, encryption. There is no added security by encoding a password with base64. Just like there is no added security by encoding a password with rot13. It is no more than obfuscation; perhaps less than obfuscation since base64 on the wire sticks out and says, "Hey, look at me!" Taking an authentication mechanism that is secured by real encryption and sending it back out in plaintext (or, equivalently, encoded with base64) is ridiculous.

So don't ever do that.

No comments: