From 7c241cef4f0b618063a3171324505960618ea713 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Mon, 30 Dec 2013 16:49:31 +0000 Subject: [PATCH] digest auth is only marginally more secure than basic auth. Adjust the docs to today's reality. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554276 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_auth_digest.xml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml index df87588eba..0f58d63925 100644 --- a/docs/manual/mod/mod_auth_digest.xml +++ b/docs/manual/mod/mod_auth_digest.xml @@ -32,7 +32,11 @@

This module implements HTTP Digest Authentication (RFC2617), and - provides a more secure alternative to mod_auth_basic.

+ provides an alternative to mod_auth_basic where the + password is not transmitted as cleartext. However, the security + improvement over basic authentication is very small. Encrypting the + whole connection using mod_ssl is a much better + alternative.

 AuthName @@ -70,9 +74,14 @@ Note -

Digest authentication is more secure than Basic authentication, - but only works with supporting browsers. As of this writing (December - 2012) all major browsers support digest authentication.

+

Digest authentication was intended to be more secure than basic + authentication, but no longer fulfills that design goal. A + man-in-the-middle attacker can trivially force the browser to downgrade + to basic authentication. And even a passive eavesdropper can brute-force + the password using today's graphics hardware, because the hashing + algorithm used by digest authentication is too fast. Therefore + using mod_ssl to encrypt the whole connection is + recommended.

mod_auth_digest only works properly on platforms where APR supports shared memory.

 -- 2.40.0