What is the difference between HTTP Digest Authentication
and SSL
from a performance, security and flexibility point of view?
views:
1189answers:
3Digest authentication only encrypts the authentication credentials (that is, the username and password you type into your browser's authentication dialog)... SSL encrypts everything in the page. So SSL will be less efficient, and it's also typically more involved to set up. But SSL does have the advantage that it lets both parties verify each others' identities, if they have trusted certificates. HTTP digest authentication doesn't do that, so when using HTTP digest without SSL, you don't really know if the server you're sending your login info to is the right one or an imposter.
The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!
To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).
It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.
However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.
As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).
For "flexibility" I'll go with: huh?
Some server implementations of HTTP Digest Authentication force you to save the cleartext passwort on the server better implementations save username:realm:MD5(username:realm:password)
this has the effect of salting the stored password which gives some security if attackers have obtained the password file.