You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2013/12/30 17:58:45 UTC

digest auth is not really more secure than basic auth (Fwd: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml)

Does anyone disagree with the below change (not yet merged to 2.x 
branches)? There is a similar paragraph in howto/auth.xml that I 
intend to remove.


----------

Author: sf
Date: Mon Dec 30 16:49:31 2013
New Revision: 1554276

URL: http://svn.apache.org/r1554276
Log:
digest auth is only marginally more secure than basic auth.
Adjust the docs to today's reality.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml?rev=1554276&r1=1554275&r2=1554276&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml Mon Dec 30 
16:49:31 2013
@@ -32,7 +32,11 @@
 <summary>
     <p>This module implements HTTP Digest Authentication
     (<a href="http://www.faqs.org/rfcs/rfc2617.html">RFC2617</a>), 
and
-    provides a more secure alternative to 
<module>mod_auth_basic</module>.</p>
+    provides an alternative to <module>mod_auth_basic</module> where 
the
+    password is not transmitted as cleartext. However, the security
+    improvement over basic authentication is very small. Encrypting 
the
+    whole connection using <module>mod_ssl</module> is a much better
+    alternative.</p>
 </summary>
 
 <seealso><directive 
module="mod_authn_core">AuthName</directive></seealso>
@@ -70,9 +74,14 @@
     </example>
 
     <note><title>Note</title>
-    <p>Digest authentication is more secure than Basic 
authentication,
-    but only works with supporting browsers. As of this writing 
(December
-    2012) all major browsers support digest authentication.</p>
+    <p>Digest authentication was intended to be more secure than 
basic
+    authentication, but no longer fulfills that design goal. A
+    man-in-the-middle attacker can trivially force the browser to 
downgrade
+    to basic authentication. And even a passive eavesdropper can 
brute-force
+    the password using today's graphics hardware, because the hashing
+    algorithm used by digest authentication is too fast. Therefore
+    using <module>mod_ssl</module> to encrypt the whole connection is
+    recommended.</p>
     <p><module>mod_auth_digest</module> only works properly on 
platforms
       where APR supports shared memory.</p>
     </note>

Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml

Posted by Stefan Fritsch <sf...@sfritsch.de>.

Am Montag, 30. Dezember 2013, 18:11:56 schrieb Reindl Harald:
> Am 30.12.2013 18:07, schrieb Graham Leggett:
> > On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> >> Does anyone disagree with the below change (not yet merged to 2.x
> >> branches)? There is a similar paragraph in howto/auth.xml that I
> >> intend to remove.
> > 
> > I would say digest authentication is insecure because it (to my
> > knowledge) forces you to store the password in cleartext
> 
> clearly no
> 
> [harry@srv-rhsoft:~]$ htdigest --help
> Usage: htdigest [-c] passwordfile realm username
> The -c flag creates a new file.
> 
> does *not* store plaintext passwords

True, but as with the hash transmitted over the wire, the hash used in 
the digest file is just a single round of md5 which can easily be 
brute forced. Also, if the hashed string in the htdigest file is 
known, one can use it for digest authentication without knowing the 
real password.

The insecure password storage is definitely another reason not to use 
digest auth. I will add that to the docs, too.

Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml

Posted by Reindl Harald <h....@thelounge.net>.


Am 30.12.2013 18:07, schrieb Graham Leggett:
> On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> 
>> Does anyone disagree with the below change (not yet merged to 2.x 
>> branches)? There is a similar paragraph in howto/auth.xml that I 
>> intend to remove.
> 
> I would say digest authentication is insecure because it (to my knowledge) 
> forces you to store the password in cleartext

clearly no

[harry@srv-rhsoft:~]$ htdigest --help
Usage: htdigest [-c] passwordfile realm username
The -c flag creates a new file.

does *not* store plaintext passwords

Re: digest auth is not really more secure than basic auth (Fwd: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml)

Posted by Graham Leggett <mi...@sharp.fm>.

On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:

> Does anyone disagree with the below change (not yet merged to 2.x 
> branches)? There is a similar paragraph in howto/auth.xml that I 
> intend to remove.

I would say digest authentication is insecure because it (to my knowledge) forces you to store the password in cleartext. Encrypt the password at rest, encrypt over the wire with basic_auth+ssl.

Regards,
Graham
--