You are previewing HTTP: The Definitive Guide.

HTTP: The Definitive Guide

Cover of HTTP: The Definitive Guide by David Gourley... Published by O'Reilly Media, Inc.

Chapter 13. Digest Authentication

Basic authentication is convenient and flexible but completely insecure. Usernames and passwords are sent in the clear,[1] and there is no attempt to protect messages from tampering. The only way to use basic authentication securely is to use it in conjunction with SSL.

Digest authentication was developed as a compatible, more secure alternative to basic authentication. We devote this chapter to the theory and practice of digest authentication. Even though digest authentication is not yet in wide use, the concepts still are important for anyone implementing secure transactions.

The Improvements of Digest Authentication

Digest authentication is an alternate HTTP authentication protocol that tries to fix the most serious flaws of basic authentication. In particular, digest authentication:

  • Never sends secret passwords across the network in the clear

  • Prevents unscrupulous individuals from capturing and replaying authentication handshakes

  • Optionally can guard against tampering with message contents

  • Guards against several other common forms of attacks

Digest authentication is not the most secure protocol possible.[2] Many needs for secure HTTP transactions cannot be met by digest authentication. For those needs, Transport Layer Security (TLS) and Secure HTTP (HTTPS) are more appropriate protocols.

However, digest authentication is significantly stronger than basic authentication, which it was designed to replace. Digest authentication also is stronger than ...

The best content for your career. Discover unlimited learning on demand for around $1/day.