21 Nov 2000 »
gstein: basic digest authentication is evil and is first against the wall when the revolution comes
As far as security people like me are concerned, basic digest is in the clear. It’s base64 encoded ASCII text. Therefore it’s in the clear, as the amount of transformation that is required is not high, certainly about the same as ROT13 or XOR. Most GUI snooping programs automatically decode it for you, so you don’t even need to feed it to your friendly perl demunger.
IETF draft Kerberos- enabled HTTP authentication. It’s also implemented in NCSA’s httpd, and in Apache.
NTLM-enabled HTTP authentication method. mod_ ntlm is the Apache module you’re probably interested in, or mod_auth_smb or Tim’s later effort mod_auth_sspi. But I’d suggest sticking with Kerberos. It’s more secure and works today.
Even with the proprietary crap, challenge/response is better than clear text (in this case, basic digest) as you cannot easily recover the password. Kerberos is the way forward. I’d like to see that.
Leave a Reply