For what good security good principles Facebook using auth digest over ssl? – Digitalmunition




QgPvRTknlY3rMNDqH1k4I37XGiq9tZF_FsygC_Xht4o.jpgautowebps8cd5e918e2bde6ca72d4445d6fc007f203689799.jpeg

Home Forums For what good security good principles Facebook using auth digest over ssl?

This topic contains 0 replies, has 1 voice, and was last updated by  anonymous 1 month, 3 weeks ago.

  • Author
    Posts
  • #335980

    anonymous
    Participant


    0

    I want to know if there are no real advantages of using “auth digest” over SSL, then why facebook and many other famous e-commerce websites and SM platforms still uses it.

    [https://stackoverflow.com/questions/11923607/do-you-still-need-to-use-digest-authentication-if-you-are-on-ssl](https://stackoverflow.com/questions/11923607/do-you-still-need-to-use-digest-authentication-if-you-are-on-ssl)

    Above, the SE community support that there are no real needs for such additional change in security settings. Is there something we have missed?

    Should local plan attacks e.g SSLtrip and other MiTM variants can allow attacker to use capture authentication enough for session replay or perhaps brute-force.

    Also how can SSL prevent me from brute-forcing basic-auth (SSL) protected website, since the request credentials be same every time, where as with auth digest i will have different value (uri+nonce+credentials+timestamp) so even if session is captured , it won’t be replayed (considering low value of nonce.

    Thanks.

You must be logged in to reply to this topic.