On Jan 2, 2008, at 12:37 PM, Landon Fuller wrote:
- Digest authentication is indistinguishable from Basic
authentication -- your browser will display the same dialog
regardless of the authentication type.
Safari distinguishes them; Basic authentication dialogs say the
password will be sent in the clear.
Currently, trying to access http://www.macosforge.org/wp-login.php
in Safari says the following:
"Your password will be sent in the clear."
Oh right, ironically Safari has a bug in that message is displayed
even for digest authentication (it is not intended to be).
Firefox doesn't show any difference in the auth dialog -- I'd easily
login using the basic auth. Also, does Safari refuse to auto-login
if the authentication type changes?
Unknown. The RFC suggests that it should. =)
At best, it will prevent a passive attacker from acquiring your
password. Anyone engaging in an active MITM attack will have no
difficultly acquiring your password.
I agree SSL provides additional security benefits, but digest
authentication isn't as transparent as you indicate.
I still hold that it is -- digest auth makes passive sniffing
useless, but it doesn't prevent an active attack from acquiring your
password, especially if you're using a browser that fails to
differentiate between digest and basic auth.
We're probably talking past each other, and I'm probably splitting
hairs. I disagree that the MITM can "acquire your password" but I
agree that a MITM could "masquerade as you."
- Kevin
_______________________________________________
macports-dev mailing list
macports-dev@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo/macports-dev
