• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

Auth by DIGEST

 
Ranch Hand
Posts: 128
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

All data between the client and the server is encrypted.



Is the above statement true when you are using DISEST? The answer says it's false. But, according to the servlet spec

Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user
based on a username and a password. However the authentication is performed by
transmitting the password in an encrypted form which is much more secure than the
simple base64 encoding used by Basic Authentication,

 
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i dont think "all" the data between client and server is encrypted. Digest auth just doesnt pass the password as clear text/base64encoded. Quoting the purpose of Digest access authentication as per Section 3.1.1 of RFC 2617


The protocol referred to as "HTTP/1.0" includes the specification for
a Basic Access Authentication scheme[1]. That scheme is not
considered to be a secure method of user authentication, as the user
name and password are passed over the network in an unencrypted form.
This section provides the specification for a scheme that does not
send the password in cleartext, referred to as "Digest Access
Authentication".

The Digest Access Authentication scheme is not intended to be a
complete answer to the need for security in the World Wide Web. This
scheme provides no encryption of message content.
The intent is
simply to create an access authentication method that avoids the most
serious flaws of Basic authentication.



This link contains the RFC
 
Tridib Samanta
Ranch Hand
Posts: 128
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Nitesh!
 
If tomatoes are a fruit, then ketchup must be a jam. Taste this tiny ad:
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
https://coderanch.com/t/751654/free-earth-friendly-heat-kickstarter
reply
    Bookmark Topic Watch Topic
  • New Topic