[Zope] SSL & Digest Auth

michael nt milne michael.milne at gmail.com
Thu Feb 16 08:05:55 EST 2006


Ok, I'm likely mistaken on this. I'm checking on the source. However I agree
that you wouldn't want Digest Auth over SSL anyway.

On 2/16/06, Andrew Milton <akm at theinternet.com.au> wrote:
>
> +-------[ michael nt milne ]----------------------
> | No, I read that for digest authentication to work the authentication
> data can't
> | be encrypted. Therefore it seems perfect for implementing more security
> on
> | non-SSL sites or sites that don't need SSL but need more security on
> logon.
>
> This is baloney. The underlying transport has nothing to do with the
> incoming data.
>
> In Digest Auth the browser 'hashes' the username and password the user
> enters and simply
> sends the hash. The webserver does the same and compares the hash to the
> hash sent by the browser. If they match then you're allowed in.
>
> In Basic Auth the username and password are sent base64 encoded.
>
> Perhaps you were confused about the password being stored encrypted ON THE
> WEB
> SERVER. The client and the server both need to agree on what they're
> hashing
> in order to get a common hash. This doesn't mean you can't store the
> digest
> hash instead of the normal password hash when creating/changing passwords.
>
> In any case Digest Auth doesn't gain you anything if you're already on an
> SSL
> connection. It's there to prevent the password from being sent in the
> clear.
>
> --
> Andrew Milton
> akm at theinternet.com.au
>



--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060216/80b033ce/attachment.htm


More information about the Zope mailing list