On 04 Apr 2016, at 10:05, Tobias Mueller <muelli@cryptobitch.de> wrote:

Hi.

On Fri, Apr 01, 2016 at 11:41:39PM +0300, Ján Máté wrote:
whenever it's possible avoid digest
Can you elaborate on that?

It should be obvious that the security properties of digest auth
are much better than those of basic auth.
So I'm left wondering why you give that recommendation.

if you compare Basic vs Digest then yes, digest is better (even if it is vulnerable to a man-in-the-middle attack, your server cannot use strong password hash, ...). If you read the documentation, there is a mention about incorrect implementation of Digest auth in lot of browsers (especially if used from JavaScript in combination with preflight requests, etc.).

So really don't use digest, use basic auth in combination WITH SSL/HTTPS.

Cheers,

My preference would be SRP, but that's not widely supported :-/

Cheers,
Tobi