[Lispweb] Araneida basic versus digest authentication
Donavon Keithley
keithley at easystreet.com
Fri Mar 24 15:16:29 CST 2006
On Friday 24 March 2006 11:07, Kamen TOMOV wrote:
> The Digest auth is considered secure as the credentials are not send.
Be aware that a naive implementation can be vulnerable to replay attacks and
that there are a number of security issues not addressed by digest
authentication (RFC2617, section 4). When Kamen says it's considered secure,
I'm sure he doesn't mean to imply that it's considered secure. :-)
> An additional security can be
> achieved by providing encryption on the transport layer (SSL).
Indeed, SSL provides *substantially* greater security. And once you've gone
with HTTPS, there's rarely if ever any reason to bother with digest over
basic authentication.
Donavon Keithley
More information about the lispweb
mailing list