HTTP digest authentication vs. HTTPS basic authentication

http https http-basic-authentication digest
8,960

From a performance perspective, https requires that everything be encrypted: Request, Response, and credentials.
This is, of necessity, more server overhead (CPU/time, RAM) than HTTP Digest Authentication, which simply hashes the AUTH credentials so they can't be easily intercepted/stolen.

So all other things being equal, https + Basic Auth will be slower than http + Digest Auth.
How much slower? Probably not any amount you're going to notice, beyond the initial connection and SSL handshake.

The remainder of this answer is completely stolen from the top answer on This Stack Overflow Question covering the exact same material.

The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!

To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).

It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.

However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.

As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).

For "flexibility" I'll go with: huh?

Share:
8,960

Related videos on Youtube

qwert_ukg
Author by

qwert_ukg

Updated on September 18, 2022

Comments

  • qwert_ukg
    qwert_ukg almost 2 years

    What is the difference between HTTP Digest Authentication and HTTPS basic authentication from a performance and security point of view?

    • qwert_ukg
      qwert_ukg almost 11 years
      yes, about performance: avg response time in https w/ basic - 1s, http w/ digest 0.7s, but it server response waiting time - not auth time
    • Drew Khoury
      Drew Khoury almost 11 years
      I suggest you look harder, and outline in your question all the things you've tried. stackoverflow.com/questions/599048/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

handshakeexception handshake error in client (os error wrong_version_number tls_record cc 242) Flutter app/Node server
Is it possible to allow mixed content in Flutter WebView
SocketException: Failed host lookup: 'methods.abc.com' (OS Error: No address associated with hostname, errno = 7), StackTrace :
Handshake error in client (OS Error: TLSV1_ALERT_PROTOCOL_VERSION(tls_record.cc:586) in flutter app when trying to do a post/get request
Flutter : By default, Android Pie will request that apps use HTTPS no HTTP request
How to make a plain text http (not https) request from Flutter
IIS HTTP to HTTPS relative redirect
Scrapy using pool of random proxies to avoid being banned
SSL/HTTPS client in C
Service worker over http: An SSL certificate error occurred when fetching the script