HTTP 摘要式身份验证与 SSL [英] HTTP Digest Authentication versus SSL
问题描述
从性能、安全性和灵活性的角度来看,HTTP Digest Authentication 和 SSL 之间有什么区别?
有关该主题的维基百科文章——您应该阅读它!
坦率地说:HTTP Digest Auth 只会保护您免于将明文密码丢失给攻击者(考虑到 MD5 的安全状态,甚至可能不是这样).
然而,它对中间人攻击非常开放,而且 - 取决于实现,因为大多数高级功能是可选的 - 重播、字典和其他形式的攻击.</p>
然而,HTTPS连接和Digest Auth保护的HTTP连接最大的区别在于前者一切都是用公钥加密加密的,而后者内容是明文发送的.
至于性能:从上面提到的几点来看,应该很清楚你得到了你所付出的(使用 CPU 周期).
为了灵活性",我会选择:嗯?
What is the difference between HTTP Digest Authentication and SSL from a performance, security and flexibility point of view?
The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!
To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).
It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.
However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.
As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).
For "flexibility" I'll go with: huh?
这篇关于HTTP 摘要式身份验证与 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
