On Jan 2, 2008, at 12:37 PM, Landon Fuller wrote:
- Digest authentication is indistinguishable from Basic authentication -- your browser will display the same dialog regardless of the authentication type.
Safari distinguishes them; Basic authentication dialogs say the password will be sent in the clear.
Currently, trying to access http://www.macosforge.org/wp-login.php in Safari says the following: "Your password will be sent in the clear."
Oh right, ironically Safari has a bug in that message is displayed even for digest authentication (it is not intended to be).
Firefox doesn't show any difference in the auth dialog -- I'd easily login using the basic auth. Also, does Safari refuse to auto-login if the authentication type changes?
Unknown. The RFC suggests that it should. =)
At best, it will prevent a passive attacker from acquiring your password. Anyone engaging in an active MITM attack will have no difficultly acquiring your password.
I agree SSL provides additional security benefits, but digest authentication isn't as transparent as you indicate.
I still hold that it is -- digest auth makes passive sniffing useless, but it doesn't prevent an active attack from acquiring your password, especially if you're using a browser that fails to differentiate between digest and basic auth.
We're probably talking past each other, and I'm probably splitting hairs. I disagree that the MITM can "acquire your password" but I agree that a MITM could "masquerade as you." - Kevin