John Panzer wrote:
HTTP Digest is also vulnerable to man-in-the-middle attacks, which are not as unlikely as one might think given the growing poularity of WiFi networks. So even with HTTP Digest there are security problems.
Is this kind of attack repeatable? In other words can the attacker replay the attack later to make future changes to my blog or whatever it is I'm editing? If it's just a one-off interception of my current post it wouldn't worry me too much, especially when all I'm doing is editing a blog post. But I'm willing to accept that there are security problems and I'm not going to argue if you say that TLS is essential.
In other words, if you need TLS for security anyway, just use HTTP Basic and make life easier for both client and server.
I agree completely. I was just hoping to avoid the TLS altogether if that were possible.
Finally, of course, if you really do have privacy needs -- an internal feed of corporate data, for example -- you will also want to protect the data from observation, not just modification, in transit. TLS works here too.
Also agreed.
I believe that most standard http libraries support https, so most likely it would 'just work'.
I would have thought so too, but James Snell did a test of https support in a couple of aggregators a while back and only 3 of 10 worked. Maybe it'll be different for APP clients.
Regards James
