Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do you still need to use digest authentication if you are on SSL?

Tags:

This is probably a dumb question but can I do away safely with just basic HTTP auth or do I still benefit from digest auth even if the server is already on SSL?

like image 607
IMB Avatar asked Aug 12 '12 16:08

IMB

People also ask

What is Digest in SSL?

A message digest is a fixed size numeric representation of the contents of a message, computed by a hash function. A message digest can be encrypted, forming a digital signature. Messages are inherently variable in size. A message digest is a fixed size numeric representation of the contents of a message.

Is digest authentication more secure than basic authentication?

Digest authentication does the same thing as Basic authentication, but it provides a security improvement in the way in which a user's credentials are sent across the network. Using Digest authentication, credentials are transmitted across the network as an MD5 (message digest) hash.

What is the difference between basic authentication and digest authentication?

This limitation was addressed in the RFC 2617, which defined two authentication schemes for HTTP: Basic Access Authentication and Digest Access Authentication. Unlike Basic authentication, the Digest authentication is based on cryptographic hashes and never sends user credentials over the wire in cleartext.

Is it safe to use basic authentication over https?

Security of basic authentication As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication.

2 Answers

The only advantage you would gain by using HTTP Digest authentication over SSL/TLS is to prevent the disclosure of the user password to the server itself, if your sever is capable of being configured with passwords in "HA1 format" directly (i.e. if it doesn't need to know the password itself, but where the user password can be configured with MD5(username:realm:password), without requiring the password in clear, see Apache Httpd for example).

In practice, this isn't really a big advantage. There are better alternatives if protecting the password itself from the server is required (in particular because MD5 isn't considered good enough anyway nowadays).

The other features of HTTP Digest authentication (over form/HTTP Basic) are already provided by the SSL/TLS layer.

like image 128
Bruno Avatar answered Oct 01 '22 21:10

Bruno

Across ssl basic auth is secure enough for most needs.

like image 38
Ray Avatar answered Oct 01 '22 20:10

Ray
Sign in to Comment

Related questions

How to use maven plugin tomcat7:run with multiple contexts (WARs)?
Python 3 vs Python 2 map behavior
Android GCM (push notification): device doesn't receive notification if application is stopped
Using JavaScript to increment top/left/bottom/right values
UITableViewCell textLabel, does not update until a scroll, or touch happens, while using GCD
What is "persistence exception translation" for @Repository beans
Amazon S3 copy the directory to another directory
How to calculate square root in sqlite
Load iframe content with different user agent
How to run a jar file with node.js child_process API?
ffmpeg: which file formats support stdin usage?
Subset of a Rcpp Matrix that matches a logical statement

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!