From d3ce799aa5258e718a6b703d81826666684563db Mon Sep 17 00:00:00 2001
From: Stefan Fritsch
Date: Sun, 5 Jan 2014 16:06:53 +0000
Subject: [PATCH] Merge r1554276, r1554281 from trunk:
digest auth is only marginally more secure than basic auth.
Adjust the docs to today's reality.
mention insecure password storage as pointed out by Graham
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555538 13f79535-47bb-0310-9956-ffa450edef68
---
docs/manual/mod/mod_auth_digest.xml | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml
index f558321615..fa8cd4393b 100644
--- a/docs/manual/mod/mod_auth_digest.xml
+++ b/docs/manual/mod/mod_auth_digest.xml
@@ -32,7 +32,14 @@
This module implements HTTP Digest Authentication
(RFC2617), and
- provides a more secure alternative to mod_auth_basic.
+ provides an alternative to mod_auth_basic where the
+ password is not transmitted as cleartext. However, this does
+ not lead to a significant security advantage over
+ basic authentication. On the other hand, the password storage on the
+ server is much less secure with digest authentication than with
+ basic authentication. Therefore, using basic auth and encrypting the
+ whole connection using mod_ssl is a much better
+ alternative.
AuthName
@@ -70,9 +77,16 @@
Note
- Digest authentication is more secure than Basic authentication,
- but only works with supporting browsers. As of this writing (December
- 2012) all major browsers support digest authentication.
+ Digest authentication was intended to be more secure than basic
+ authentication, but no longer fulfills that design goal. A
+ man-in-the-middle attacker can trivially force the browser to downgrade
+ to basic authentication. And even a passive eavesdropper can brute-force
+ the password using today's graphics hardware, because the hashing
+ algorithm used by digest authentication is too fast. Another problem is
+ that the storage of the passwords on the server is insecure. The contents
+ of a stolen htdigest file can be used directly for digest authentication.
+ Therefore using mod_ssl to encrypt the whole connection is
+ strongly recommended.
mod_auth_digest only works properly on platforms
where APR supports shared memory.
--
2.40.0