James Holderness wrote on 2/23/2006, 5:09 PM: > I understand the desire for interoperability, but if you have to make a > recommendation, why Basic+TLS rather than say Digest without TLS which is > certainly a lot easier? There may be very convincing security reasons for > wanting to recommend TLS but I don't know enough about security to > know what > these arguments are. So far the only complaint I've seen against > Digest was > that someone hacking into your password database could use the password > hashes to spoof a login. IMHO that's not a very convincing argument.
It's a reasonable question. Here's the argument: HTTP Digest is also vulnerable to man-in-the-middle attacks, which are not as unlikely as one might think given the growing poularity of WiFi networks. So even with HTTP Digest there are security problems. That particular problem mostly goes away if you add TLS. But now HTTP Digest is unnecessary because you're already protecting the password; why do extra work? In other words, if you need TLS for security anyway, just use HTTP Basic and make life easier for both client and server. Also, if you care about security and man-in-the-middle attacks, it would be helpful if in addition to protecting your password, you also protected the data so that an attacker can't simply replace your blog post (or news alert) with their own. TLS helps with this as well. Finally, of course, if you really do have privacy needs -- an internal feed of corporate data, for example -- you will also want to protect the data from observation, not just modification, in transit. TLS works here too. I believe that most standard http libraries support https, so most likely it would 'just work'. It certainly does in my current news reader. Given that assumption, using HTTP Basic is just making things simpler. It certainly simplifies life for the server. -- John Panzer Sr. Technical Manager http://journals.aol.com/panzerjohn/abstractioneer
