[jira] [Created] (SPARK-24510) Spark WebUI filters use Basic Authentication [security]

["t oo (JIRA)" <ji...@apache.org>]

t oo created SPARK-24510:
----------------------------

             Summary: Spark WebUI filters use Basic Authentication [security]
                 Key: SPARK-24510
                 URL: https://issues.apache.org/jira/browse/SPARK-24510
             Project: Spark
          Issue Type: Improvement
          Components: Web UI
    Affects Versions: 2.3.0
            Reporter: t oo


*Risk/Issue summary finding*
{code:java}
Basic Authentication in Use{code}
*Risk/Issue summary description/detail*
{code:java}
The only authentication method used by Spark web portals is basic HTTP authentication. In basic HTTP authentication, passwords are encoded using the Base64 encoding scheme, before being transmitted over the network. Note that the web services communications were over HTTPS and as such the communications between supplicant and service would be encrypted, reducing the risk of this issue.{code}
*Business impact / attack scenario*
{code:java}
An attacker given a reasonable time frame may be able to successfully perform a brute-force attack on the credentials, and successfully authenticate to the web service. The time frame for such an attack would also be significantly reduced if common username and passwords are used, such as "Administrator" and "password". Additionally, basic authentication credentials are sent with every request and may be cached by the web browser. {code}
*Recommendation*
{code:java}
By itself, basic authentication is not considered secure. Other, more secure, authentication methods are offered by web servers and application frameworks and should be considered.{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org