I want to know if there are no real advantages of using “auth digest” over SSL, then why facebook and many other famous e-commerce websites and SM platforms still uses it.[https://stackoverflow.com/questions/11923607/do-you-still-need-to-use-digest-authentication-if-you-are-on-ssl](https://stackoverflow.com/questions/11923607/do-you-still-need-to-use-digest-authentication-if-you-are-on-ssl)
Above, the SE community support that there are no real needs for such additional change in security settings. Is there something we have missed?
Should local plan attacks e.g SSLtrip and other MiTM variants can allow attacker to use capture authentication enough for session replay or perhaps brute-force.
Also how can SSL prevent me from brute-forcing basic-auth (SSL) protected website, since the request credentials be same every time, where as with auth digest i will have different value (uri+nonce+credentials+timestamp) so even if session is captured , it won’t be replayed (considering low value of nonce.