Welcome to the staging ground for new communities! Each proposal has a description in the "Descriptions" category and a body of questions and answers in "Incubator Q&A". You can ask questions (and get answers, we hope!) right away, and start new proposals.
Is digest authentication more secure than basic authentication over HTTPS? Question
Apache has modules for both digest authentication and basic authentication. I've seen recommendations to use digest authentication because it doesn't send the password in clear text.
However, if my site is HTTPS, aren't all the headers including the ones for basic authentication encrypted anyway? Is there any reason to prefer digest authentication over basic authentication for a site that is HTTPS only?
1 answer
I don't know the full answer, but according to the official docs (linked in question): No.
However, this does not lead to a significant security advantage over basic authentication.
and
On the other hand, the password storage on the server is much less secure with digest authentication than with basic authentication. Therefore, using basic auth and encrypting the whole connection using
mod_sslis a much better alternative.
(originally posted as comment, but added as answer on asker's request)
0 comment threads
1 comment thread