You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2013/12/30 17:49:32 UTC
svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
Author: sf
Date: Mon Dec 30 16:49:31 2013
New Revision: 1554276
URL: http://svn.apache.org/r1554276
Log:
digest auth is only marginally more secure than basic auth.
Adjust the docs to today's reality.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml?rev=1554276&r1=1554275&r2=1554276&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml Mon Dec 30 16:49:31 2013
@@ -32,7 +32,11 @@
<summary>
<p>This module implements HTTP Digest Authentication
(<a href="http://www.faqs.org/rfcs/rfc2617.html">RFC2617</a>), and
- provides a more secure alternative to <module>mod_auth_basic</module>.</p>
+ provides an alternative to <module>mod_auth_basic</module> where the
+ password is not transmitted as cleartext. However, the security
+ improvement over basic authentication is very small. Encrypting the
+ whole connection using <module>mod_ssl</module> is a much better
+ alternative.</p>
</summary>
<seealso><directive module="mod_authn_core">AuthName</directive></seealso>
@@ -70,9 +74,14 @@
</example>
<note><title>Note</title>
- <p>Digest authentication is more secure than Basic authentication,
- but only works with supporting browsers. As of this writing (December
- 2012) all major browsers support digest authentication.</p>
+ <p>Digest authentication was intended to be more secure than basic
+ authentication, but no longer fulfills that design goal. A
+ man-in-the-middle attacker can trivially force the browser to downgrade
+ to basic authentication. And even a passive eavesdropper can brute-force
+ the password using today's graphics hardware, because the hashing
+ algorithm used by digest authentication is too fast. Therefore
+ using <module>mod_ssl</module> to encrypt the whole connection is
+ recommended.</p>
<p><module>mod_auth_digest</module> only works properly on platforms
where APR supports shared memory.</p>
</note>