Monday, February 4, 2013

Base64 Encoding and the Stupid Things Developers Do

Base64 encoding is everywhere. It the #1 data encoding type used on the internet. Even though it technically increases the size of the data by 33% its still used in spaces where speed is of the utmost importance.

Mainly because of two reasons. Its ubiquitous  and it was meant to be used to transmit non ascii data in ascii only systems. Base64 was originally designed as a method to transmit binary information through plaintext channels such as attachments on emails. Email is still plaintext, so anything thats not plaintext needs to be represented differently or else the email servers/clients would barf upon reading it.

Where the Problem Lay:
The problem is when developers dont truly understand the concepts of encoding and mentally group it into the same category as encryption. ENCODING IS NOT ENCRYPTION and dont let anyone tell you otherwise. Changing the location of the secret base from english to spanish does not protect the location from the enemy. It's especially annoying when someone tries to back up the argument of encoding as encryption by saying something like "well if they dont speak spanish then its just as good". No, its not. Because that not security, thats obfuscation  All i have to do is find someone who speaks spanish and the game is over. I used to think that if you used a encoding type nobody has ever seen before than maybe thats moving into the security category, but unfortunately its not. This is because that requires a massive underestimation of the ability of people to obsess over puzzles. Just dont do it, its really not that hard...

So, if you have sensitive information (passwords, credit cards, SSNs, keys, etc) and you only base64 encode them, then you are sending them cleartext. Every developer should consider base64 encoding as the equivalent security as plaintext, because in the end, it is.

No comments:

Post a Comment