[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Inf-IT DAVcl] Blank page,with Internet Explorer


Hi,

> On 04 Apr 2016, at 10:05, Tobias Mueller <muelli@xxxxxxxxxxxxxx> wrote:
> 
> Hi.
> 
> On Fri, Apr 01, 2016 at 11:41:39PM +0300, Ján Máté wrote:
>> whenever it's possible avoid digest
> Can you elaborate on that?
> 
> It should be obvious that the security properties of digest auth
> are much better than those of basic auth.
> So I'm left wondering why you give that recommendation.

if you compare Basic vs Digest then yes, digest is better (even if it is vulnerable to a man-in-the-middle attack, your server cannot use strong password hash, ...). If you read the documentation, there is a mention about incorrect implementation of Digest auth in lot of browsers (especially if used from JavaScript in combination with preflight requests, etc.).

So really don't use digest, use basic auth in combination WITH SSL/HTTPS.

Cheers,


JM


> 
> My preference would be SRP, but that's not widely supported :-/
> 
> Cheers,
>  Tobi
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Follow-Ups:
Re: [Inf-IT DAVcl] Blank page,with Internet ExplorerTobias Mueller <muelli@xxxxxxxxxxxxxx>
References:
[Inf-IT DAVcl] Fwd: Blank page,with Internet ExplorerAdmin - Muskoka Auto Parts Limited <admin@xxxxxxxxxxxxxxx>
Re: [Inf-IT DAVcl] Blank page,with Internet ExplorerJán Máté <jan.mate@xxxxxxxxxx>
Re: [Inf-IT DAVcl] Blank page,with Internet ExplorerTobias Mueller <muelli@xxxxxxxxxxxxxx>