On 3/16/06, Felix Lindner <[EMAIL PROTECTED]> wrote: > you may be looking for Digest Authentication: > http://www.ietf.org/rfc/rfc2617.txt: > > "Like Basic, Digest access authentication verifies that both parties > to a communication know a shared secret (a password); unlike Basic, > this verification can be done without sending the password in the > clear, which is Basic's biggest weakness. As with most other > authentication protocols, the greatest sources of risks are usually > found not in the core protocol itself but in policies and procedures > surrounding its use."
Digest probably isn't a good answer to a MITM attack, because as far as I can tell there is nothing stopping the MITM from downgrading to BA. I haven't actually tested this. Maybe the browsers have config options to disable BA authentication, or at least give some kind of visual indicator that the authentication is digest rather than basic. - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
