HTTP Digest Authentication
From RuntimeWiki
See Wikipedia article on HTTP Digest Authentication for more details.
Opinionated Comments
A update is not truly needed, as the standard is there, today. It is only browser support that is spotty, and the few implementations one can find on the net are sometimes flawed. The non-hashed Basic should be deprecated, SHA1 support should be mandatory etc. The ironic thing is that all browsers today support this, the bulk of the code has been in major browsers for close to a decade now. Opera and Konqueror are the only browsers supporting auth-int. If the user got the browser through a secure channel, and the initial sign up on the site was done securely. Then any further communication between the user and the site, even if in plaintext would still allow protecting the user's password, as well as (with auth-int) ensure that the information passed to/from the server was not manipulated.
A lot of sites do not use SSL either due to cost or due to performance reasons. Proper HTTP Digest Authentication implementations would fill that hole. I cringe each time I need to sing up or log into a site and it's a plain text form. With auth-int I could log on knowing my password was safe from network snooping, and that changing my preferences (like changing the email) was actually being changed without being manipulated by a Man-In-The-Middle as auth-int would ensure that manipulated form values would make the form fail the hash check. Current AJAX efforts to use HTTP Digest Authentication and forms has not been that successful, mostly due to spotty browser support of this standard.
Proper support would allow sites to mix non-ssl and ssl pages, and still ensure integrity, only using SSL where it's vital that information is not seen by a 3rd party (like a credit card number or other private info) during the checkout on a online store. Or when logging in or changing the preferences on this very Wiki site. And not to forget the millions of forums and blogs out there that does not have SSL available at all for login and prefs, nor auth-int check when making a post etc. It's scary that all that is still plaintext these days. With improved browser implementation, forum, blog software, CMS systems and OpenID would quickly add support as well.
--Rescator 01:35, 9 January 2009 (PST)
