[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: BOOK MD5 authentication

From: Ben Reser <ben_at_reser.org>
Date: 2004-10-01 07:02:11 CEST

On Fri, Oct 01, 2004 at 12:30:59AM -0400, Charles Fry wrote:
> First of all, let me thank you for your great book. It is a fantastic
> resource, that I have come to greatly appreciate.
>
> That said, your Basic HTTP Authentication section is both incomplete and
> misleading. :-o
>
> You say:
>
> "One word of warning: HTTP Basic Auth passwords pass in very nearly
> plain-text over the network, and thus are extremely insecure. If you're
> worried about password snooping, it may be best to use some sort of SSL
> encryption, so that clients authenticate via https:// instead of
> http://; at a bare minimum, you can configure Apache to use a
> self-signed server certificate."
>
> This would be true, if 'AuthType Basic' were the only available
> authentication option. However, [1]mod_auth_digest allows the use of
> 'AuthType Digest', which "provides a more secure password system than
> Basic authentication."
>
> 1. http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html
>
> If the only goal is to avoid passing a plaintext paassword over the
> netwrok, 'AuthType Digest' is a far simpler solution to HTTPS. In fact,
> if I were you I would use AuthType Digest as your primary example,
> perhaps mentioning in passing that it is also possible to be less
> secure.
>
> Thanks again for all the work that you have put into an excellent
> version control system and reference.

Thanks for the suggestion. I'll point out that at the time when that
section was written there was a bug in Apache that made Digest
authentication fail to work with Subversion.

-- 
Ben Reser <ben@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Oct 1 07:02:20 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.