Comments on: Basic vs. Digest http://kosmaczewski.net/2008/07/07/basic-vs-digest/ sin incertidumbre no hay novedad, sin novedad posible no hay más que repetición y, por lo tanto, negación del otro como un ser libre: el ser libre es un ser incierto. (adrian mancuso) Mon, 15 Mar 2010 09:02:30 +0100 http://wordpress.org/?v=2.9.2 hourly 1 By: Patrick http://kosmaczewski.net/2008/07/07/basic-vs-digest/comment-page-1/#comment-17225 Patrick Thu, 10 Jul 2008 16:42:28 +0000 http://kosmaczewski.net/?p=1226#comment-17225 I don't think that digest is really that better. If somebody can listen to your communications, he can wait for you to login and just use your session. So you are not protected from somebody accessing the website in your name, he just cannot get your password, which is useful only if you share the same password on more than one website. Whatever authentication method you use, you should use encryption (HTTPS), which means that the basic authentication method is fully protected by the encryption of the TCP socket. But that has a cost: 1) you need a signed certificate to be fully secure. Otherwise, you are still open to a man in the middle attack. Another partial solution (what I use), may consist to use a home made CA to sign your key, but you'll need to install the CA certification on every client used to access your website 2) encryption does not work "securely" for named virtual server (several addresses on the same IP address): the HTTPS server needs to know what certificate to use before getting the HTTP send header, but it needs the HTTP send header to know what certificate to use. Personally, I always use SSL+Basic with hashed passwords (MD5 is weak, SHA1 is OK and SHA256 is the must). I don’t think that digest is really that better. If somebody can listen to your communications, he can wait for you to login and just use your session.

So you are not protected from somebody accessing the website in your name, he just cannot get your password, which is useful only if you share the same password on more than one website.

Whatever authentication method you use, you should use encryption (HTTPS), which means that the basic authentication method is fully protected by the encryption of the TCP socket. But that has a cost:

1) you need a signed certificate to be fully secure. Otherwise, you are still open to a man in the middle attack. Another partial solution (what I use), may consist to use a home made CA to sign your key, but you’ll need to install the CA certification on every client used to access your website

2) encryption does not work “securely” for named virtual server (several addresses on the same IP address): the HTTPS server needs to know what certificate to use before getting the HTTP send header, but it needs the HTTP send header to know what certificate to use.

Personally, I always use SSL+Basic with hashed passwords (MD5 is weak, SHA1 is OK and SHA256 is the must).

]]> By: Yoan http://kosmaczewski.net/2008/07/07/basic-vs-digest/comment-page-1/#comment-17081 Yoan Mon, 07 Jul 2008 17:17:26 +0000 http://kosmaczewski.net/?p=1226#comment-17081 Too bad... “A 2002 analysis by eWeek Labs concluded that Internet Explorer Version 5.0, as well as later versions, implements digest authentication in a way that does not comply with RFC 2617. As a result, Internet Explorer cannot be used as a web client for a server that complies with the digest authentication standard.” — http://en.wikipedia.org/wiki/Digest_access_authentication#Browser_Implementation Web applications like Meebo, that relies on a login form and not HTTP authentication uses the JavaScript implementation of SSH to protect their users. Too bad…
“A 2002 analysis by eWeek Labs concluded that Internet Explorer Version 5.0, as well as later versions, implements digest authentication in a way that does not comply with RFC 2617. As a result, Internet Explorer cannot be used as a web client for a server that complies with the digest authentication standard.”
http://en.wikipedia.org/wiki/Digest_access_authentication#Browser_Implementation

Web applications like Meebo, that relies on a login form and not HTTP authentication uses the JavaScript implementation of SSH to protect their users.

]]>