I am currently working on a API site based on Zend Framework. As ZF doesn’t have sufficient support for Digest Authentication and it is too late to shift to another framework now, I am thinking of implementing Basic Authentication.
Basic and Digest are not actually the ideal way to perform authentication, while Digest is better but unfortunately not quite supported by Zend (implementing it properly will take too much work, need the project done asap). One of the big problem with Basic auth is that password is sent in cleartext form. I am thinking instead of sending the password in cleartext form, can I somehow hash it using one-way-hashing algorithm / bcrypt to avoid sending password in cleartext form? But it is still suffering from man-in-the-middle attack though.
But if comparing the basic authentication with current form-based authentication used by most web-apps, are they both sharing the same security problem while transferring the request to the server?
Your best option for keeping the request secure is to use SSL for your authentication requests to ensure that the information isn’t sent in plaintext.
If you try to do some kind of hashing or encryption on the client before sending the authentication request, you immediately expose your hashing algorithm and any salts you might be using to malicious users. This makes it possible for them to use dictionary attacks against your server.
Absolutely they are. Again with forms based authentication your best bet is to use SSL.
Alternatively, you might consider using an external authentication service like OAuth.