On 27 Jan 2009, at 21:00, André Warnier wrote:
The only real weak spot is the "man in the middle".
Heh. You mean it doesn't use client certificates. The server knowsit's talking to just one client, but can't be certain who that client is.
You can use the same attack with HTTPS, too. The difference there is that browser will show the user that the connection is not secure, which is useful only if the user knows the connection needs to be secure: Server <-- Digest --> Proxy <-- Basic --> Client Server <-- HTTPS --> Proxy <-- HTTP --> Client In both cases, the connection from server to proxy is secure, but the client end isn't. -- Nick Kew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx