For what good security good principles Facebook using auth digest over ssl?


I want to know if there are no real advantages of using “auth digest” over SSL, then why facebook and many other famous e-commerce websites and SM platforms still uses it.


Above, the SE community support that there are no real needs for such additional change in security settings. Is there something we have missed?

Should local plan attacks e.g SSLtrip and other MiTM variants can allow attacker to use capture authentication enough for session replay or perhaps brute-force.

Also how can SSL prevent me from brute-forcing basic-auth (SSL) protected website, since the request credentials be same every time, where as with auth digest i will have different value (uri+nonce+credentials+timestamp) so even if session is captured , it won’t be replayed (considering low value of nonce.



More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed