From: Stefan Fritsch Date: Mon, 30 Dec 2013 16:49:31 +0000 (+0000) Subject: digest auth is only marginally more secure than basic auth. X-Git-Tag: 2.5.0-alpha~4706 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7c241cef4f0b618063a3171324505960618ea713;p=apache digest auth is only marginally more secure than basic auth. Adjust the docs to today's reality. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554276 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml index df87588eba..0f58d63925 100644 --- a/docs/manual/mod/mod_auth_digest.xml +++ b/docs/manual/mod/mod_auth_digest.xml @@ -32,7 +32,11 @@

This module implements HTTP Digest Authentication (RFC2617), and - provides a more secure alternative to mod_auth_basic.

+ provides an alternative to mod_auth_basic where the + password is not transmitted as cleartext. However, the security + improvement over basic authentication is very small. Encrypting the + whole connection using mod_ssl is a much better + alternative.

 AuthName @@ -70,9 +74,14 @@ Note -

Digest authentication is more secure than Basic authentication, - but only works with supporting browsers. As of this writing (December - 2012) all major browsers support digest authentication.

+

Digest authentication was intended to be more secure than basic + authentication, but no longer fulfills that design goal. A + man-in-the-middle attacker can trivially force the browser to downgrade + to basic authentication. And even a passive eavesdropper can brute-force + the password using today's graphics hardware, because the hashing + algorithm used by digest authentication is too fast. Therefore + using mod_ssl to encrypt the whole connection is + recommended.

mod_auth_digest only works properly on platforms where APR supports shared memory.