[Previous] [Next] [Index]
[Thread]
Re: Final Review of Digest Authentication
Paul writes:
> Both Basic and Digest authentication are vulnerable to "man in the
> middle" attacks, for example, from a hostile or compromised proxy.
> Clearly, this would present all the problems of eavesdropping. But
> it could also offer some additional threats.
This isn't quite right. Digest authentication is not vulnerable
to a man in the middle attack as described. Digest is vulnerable to
a downgrade attack where a client supports BASIC and BASIC is
vulnerable to man in the middle.
If a client does not support Digest the vulnerability to password
snooping goes away beacuse a client will not divulge the password under
any circumstances.
Its a picky point but an important one.
Phill