Reputation: 1031
(HTTP Basic auth/HTTPS == HTTP Digest auth)?
Is it true that using HTTP Basic auth over HTTPS is at a security level equivalent to HTTP digest auth? If so how does HTTP digest achieve that level of security? Does it add the username and password into the authentication header? Sorry, I'm a bit confused. Can someone help me out? Thnx :)
Upvotes: 0
Views: 948
Answers (1)
Reputation: 1266
No, it is not exactly true.
Digest adds username, hashes of the password, and nonces to prevent replay attacks. However, the hashes are calculated with MD5 which is known to be cryptographically weak.
Basic auth does not protect against replay attacks and does not hash the password, but with HTTPs, the pair passes encrypted.
In summary:
Basic over HTTPS protects the username and provides strong cryptographic protection of the password. It is not susceptible to replay attacks since HTTPS protects against those.
Digest over HTTP is prone to cryptographical weaknesses in MD5, and passes the username in the clear. It does protect against replay attack.
Unless you have strong challenges with deploying HTTPS, I'd recommend the former.
Upvotes: 1
Related Questions
- What is the difference between Digest and Basic Authentication?
- HTTP basic auth, digest auth and Oauth?
- Apache http basic authentication?
- Login Form For Http Basic Auth
- HTTP Digest Authentication versus SSL
- Use HTTPS for HTTP Digest Authentication
- HTTP Digest authenticating in PHP
- Basic and Digest Access Authentication with Java
- HTTPS and BASIC authentication
- Authlogic and HTTP digest auth