From: Stefan Fritsch This module implements HTTP Digest Authentication
(RFC2617), and
- provides a more secure alternative to mod_auth_basic
.mod_auth_basic
where the
+ password is not transmitted as cleartext. However, this does
+ not lead to a significant security advantage over
+ basic authentication. On the other hand, the password storage on the
+ server is much less secure with digest authentication than with
+ basic authentication. Therefore, using basic auth and encrypting the
+ whole connection using mod_ssl
is a much better
+ alternative.
Digest authentication is more secure than Basic authentication, - but only works with supporting browsers. As of this writing (December - 2012) all major browsers support digest authentication.
+Digest authentication was intended to be more secure than basic
+ authentication, but no longer fulfills that design goal. A
+ man-in-the-middle attacker can trivially force the browser to downgrade
+ to basic authentication. And even a passive eavesdropper can brute-force
+ the password using today's graphics hardware, because the hashing
+ algorithm used by digest authentication is too fast. Another problem is
+ that the storage of the passwords on the server is insecure. The contents
+ of a stolen htdigest file can be used directly for digest authentication.
+ Therefore using mod_ssl
to encrypt the whole connection is
+ strongly recommended.
mod_auth_digest
only works properly on platforms
where APR supports shared memory.
Description: | Authentification utilisateur utilisant les condensés MD5 |
---|---|
Statut: | Extension |