There seem to be 2 separate arguments going on here - one about the best way to implement non-Basic authentication in AOLserver, and another about the usefulness of using Digest in the first place. I'm going to avoid the implementation related stuff and stick solely to the utility of Digest auth.
On 04/11/2003, at 3:01 AM, Dossy wrote:
<snip>Authentication being hard-wired in C and very lightweight (only supporting Basic auth) makes sense, because authentication checks could potentially have to be performed for EVERY single HTTP request -- if it weren't lightweight and wired in C, there could be risk of performance loss at the auth layer.
If you're using SSL, you don't need Digest auth for most applications.
So our options are either a lightweight implementation with zero real security, or a heavyweight implementation with full authentication and encryption? There's no middle ground?
And, if you're using non-SSL HTTP connections, Digest auth isn't giving you much security. It's giving you authentication without transmitting the shared-secret in the clear, but it's giving you no encryption and doesn't prevent man-in-the-middle attacks. It's hardly security.
Digest *does* provide protection against MITM - see section 2.1.2 of RFC 2069 - no intermediate party can retrieve the cleartext of the user's password, turn the user's requests for some URI into requests for another URI, or change the body of the request. Section 2.1.3 describes how the server can additionally let the client know that the response has not been changed en-route.
Let me restate the question a little clearer: other than non-SSL WebDAV, what specific /application/ uses Digest auth as a must-have requirement?
What are you asking for here? RFC #s? business cases? a letter from my manager?
Can you see that transmitting passwords in cleartext is something that should (all other things being equal) be avoided? I have personally known people at a major ISP who hung a password-grabber off the side of the main customer web proxy in a particular city, just for amusement. I read an article a while (6 months?) ago about a US cable ISP who had their primary DNS server compromised which then served the address of a malicious proxy to all their clients. Password sniffing attacks are a real thing on the internet but because they don't leave us, the implementors, with the pain of rebuilding a rooted box we don't tend to care as much as we do about attacks against our own servers.
I'm not asking you to implement it, I just find it hard to understand how so many people here can believe that there is no benefit at all to using something like Digest.
Russell
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.