tags:

views:

1189

answers:

3
+3  Q: 

HTTP Digest Authentication versus SSL

What is the difference between HTTP Digest Authentication and SSL from a performance, security and flexibility point of view?

+2  A: 

Digest authentication only encrypts the authentication credentials (that is, the username and password you type into your browser's authentication dialog)... SSL encrypts everything in the page. So SSL will be less efficient, and it's also typically more involved to set up. But SSL does have the advantage that it lets both parties verify each others' identities, if they have trusted certificates. HTTP digest authentication doesn't do that, so when using HTTP digest without SSL, you don't really know if the server you're sending your login info to is the right one or an imposter.

David Zaslavsky  2009-03-01 02:10:05
To my understanding digest authentication contains no encryption at all but a so called HMAC.
mdorseif  2009-03-02 11:01:23
which is calculated using cryptographic functions...
hop  2009-03-02 11:26:29
@mdorseif: I guess I wasn't being very precise. I meant "encryption" in the sense of rendering some data uninterpretable, whether reversibly or not. Same sense as the crypt() function used to hash passwords on Linux.
David Zaslavsky  2009-03-02 12:12:02
+2  A: 

The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!

To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).

It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.

However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.

As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).

For "flexibility" I'll go with: huh?

hop  2009-03-01 06:28:04
+1  A: 

Some server implementations of HTTP Digest Authentication force you to save the cleartext passwort on the server better implementations save username:realm:MD5(username:realm:password) this has the effect of salting the stored password which gives some security if attackers have obtained the password file.

mdorseif  2009-03-02 11:09:52

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL