undefined | Better HN

0 pointspornel15y ago0 comments

Basic is useless - sends password in the clear.

Digest authentication is safe against passive sniffing (it doesn't exchange any password/token in the clear and uses nonces), but it doesn't protect against active attacker who could modify server headers and replace "Digest" with "Basic" to reveal password.

0 comments

1 comments · 1 top-level

al_james15y ago

Ok, so digest authentication is safe against this new firefox extension?

If so, why don't facebook et al. switch to digest based authentication?

Surely its better than unencrypted cookie based logins. Is it just that its ugly (the browser login popup)?

1 more reply

j / k navigate · click thread line to collapse