httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1555538 - in /httpd/httpd/branches/2.4.x: ./ docs/manual/mod/mod_auth_digest.xml
Date Sun, 05 Jan 2014 16:06:54 GMT
Author: sf
Date: Sun Jan  5 16:06:53 2014
New Revision: 1555538

Merge r1554276, r1554281 from trunk:

    digest auth is only marginally more secure than basic auth.
    Adjust the docs to today's reality.

    mention insecure password storage as pointed out by Graham

    httpd/httpd/branches/2.4.x/   (props changed)

Propchange: httpd/httpd/branches/2.4.x/
  Merged /httpd/httpd/trunk:r1554276,1554281

Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_auth_digest.xml
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_auth_digest.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_auth_digest.xml Sun Jan  5 16:06:53 2014
@@ -32,7 +32,14 @@
     <p>This module implements HTTP Digest Authentication
     (<a href="">RFC2617</a>), and
-    provides a more secure alternative to <module>mod_auth_basic</module>.</p>
+    provides an alternative to <module>mod_auth_basic</module> where the
+    password is not transmitted as cleartext. However, this does
+    <strong>not</strong> lead to a significant security advantage over
+    basic authentication. On the other hand, the password storage on the
+    server is much less secure with digest authentication than with
+    basic authentication. Therefore, using basic auth and encrypting the
+    whole connection using <module>mod_ssl</module> is a much better
+    alternative.</p>
 <seealso><directive module="mod_authn_core">AuthName</directive></seealso>
@@ -70,9 +77,16 @@
-    <p>Digest authentication is more secure than Basic authentication,
-    but only works with supporting browsers. As of this writing (December
-    2012) all major browsers support digest authentication.</p>
+    <p>Digest authentication was intended to be more secure than basic
+    authentication, but no longer fulfills that design goal. A
+    man-in-the-middle attacker can trivially force the browser to downgrade
+    to basic authentication. And even a passive eavesdropper can brute-force
+    the password using today's graphics hardware, because the hashing
+    algorithm used by digest authentication is too fast. Another problem is
+    that the storage of the passwords on the server is insecure. The contents
+    of a stolen htdigest file can be used directly for digest authentication.
+    Therefore using <module>mod_ssl</module> to encrypt the whole connection
+    strongly recommended.</p>
     <p><module>mod_auth_digest</module> only works properly on platforms
       where APR supports shared memory.</p>

View raw message