I’d like to point out that I knew Basic Authentication in web servers were not bullet proof but in fact the total opposite (pointed out in the energy@home documents). This was hammered home when I was inspired to do some optimizations on the energy@home project but I was very interested in the initial load and AJAX requests by the Google I/O 2011: Using GWT and Eclipse to Build Great Mobile Web Apps. During that process I noticed the GET request headers include an “Authorization” field with what looked like a base64 string. Low and behold entering the text into a base64 decoder and out came my username and password.
Whilst I saw this running Firebug on my local machine, it makes it very easy for a man in the middle or a sniffer to capture the packet and easily get the header and therefore decode and see the username and password.
In the mean time I have implemented HTTPS on my own installation but this does not help the majority using the software. This does not solve the problem but it does elevate the security to (try) and hinder the sniffers and firesheep like attacks.