Mark Thomas wrote:
On 04/09/2010 17:27, André Warnier wrote:
Digest authentication is not very popular, and rather a pain to
implement yourself.
The reason why it is not very popular is that it is a bit of a halfway
solution : it does avoid user passwords to be transmitted in clear over
the net, but it is not safe for man-in-the-middle attacks (someone can
record the digest, and use it to authenticate later as that user).
No they can't. DIGEST is secure against such an attack. Any session ID,
however, will be vulnerable.
You are right, the part between () was not correct. But the MIM vulnerability still
exists. A MIM can tell the client to use Basic auth, catch the client responses, do
Digest auth with the server, and this way get the user id/pw. And neither client or
server would be the wiser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
