You've written the following in Chapter 19, one of the AuthKit chapters:
Even HTTP digest authentication which does use some encryption on the password isn't particularly secure because anyone monitoring the network traffic could simply send the encrypted digest and be able to sign onto the site themselves although they wouldn't be able to obtain the user's password so it is slightly better. Even if you are using digest authentication it is worth using SSL too.
You're sure HTTP Digests are susceptible to replay attacks? A simple MD5 hash of the password is, but a digest is much more than that, unless I've misread the spec. --me@lbruno.org
You've written the following in Chapter 19, one of the AuthKit chapters:
Even HTTP digest authentication which does use some encryption on the password isn't particularly secure because anyone monitoring the network traffic could simply send the encrypted digest and be able to sign onto the site themselves although they wouldn't be able to obtain the user's password so it is slightly better. Even if you are using digest authentication it is worth using SSL too.
You're sure HTTP Digests are susceptible to replay attacks? A simple MD5 hash of the password is, but a digest is much more than that, unless I've misread the spec. --me@lbruno.org