[owasp-intrinsic-security] HTTP Authentication

Giorgio Maone giorgio.maone at gmail.com
Mon Nov 3 05:05:36 EST 2008


Digest auth doesn't send any password in plaintext: it exchanges just hashes
with salt varying on each request to prevent cryptoanalysis.
It's useful for transparent stateless authentication of web services or
webdav, for instance, provided that you do not need to encrypt the content
as well.
The big drop is that the server needs to know the password, i.e. it needs to
be *stored* in plaintext.
BTW, as long as you're strictly on HTTPS, basic auth is fine for web
services *and* lets you store just password hashes.


On Mon, Nov 3, 2008 at 2:49 AM, Jim Manico <jim.manico at aspectsecurity.com>wrote:

> HTTP Basic essentially sends the password in plaintext with each
> request. Same with digest, I think.
>
> These 2 standards are just horrible and need to be avoided.
>
> Am I wrong?
>
> - Jim
>
> -----Original Message-----
> From: owasp-intrinsic-security-bounces at lists.owasp.org
> [mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
> Bil Corry
> Sent: Thursday, October 30, 2008 11:35 AM
> To: owasp-intrinsic-security at lists.owasp.org
> Subject: [owasp-intrinsic-security] HTTP Authentication
>
> Another area of browser security that could use some help is HTTP
> Authentication; specifically, there isn't a straightforward way to
> "logout" the user -- that is, tell the browser to stop sending the
> authentication header.  In some browsers (all?), you actually have to
> quit the browser entirely to do it.
>
> >From the user's perspective, one welcome change would be closing all
> windows associated with the site should terminate sending the
> authentication header on future visits to the site.
>
>
> - Bil
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081103/45e5c032/attachment.html 


More information about the owasp-intrinsic-security mailing list