HTTP 摘要式身份验证与 SSL

发布于 2024-07-13 22:57:13 字数 48 浏览 11 评论 0原文

从性能、安全性和灵活性的角度来看,HTTP 摘要式身份验证和 SSL 有什么区别?

What is the difference between HTTP Digest Authentication and SSL from a performance, security and flexibility point of view?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

苦行僧 2024-07-20 22:57:13

有关该主题的维基百科文章中非常清楚地解释了 HTTP 摘要式身份验证的优缺点 -你应该读一下!

坦率地说:HTTP Digest Auth 只能保护您免遭攻击者丢失明文密码(考虑到 MD5 安全性的状况,也许连这个都做不到)。

然而,它对中间人攻击以及重播、字典和其他形式的攻击(取决于实现,因为大多数高级功能都是可选的)敞开大门。

然而,HTTPS 连接和受摘要式身份验证保护的 HTTP 连接之间的最大区别在于,前者所有内容都使用公钥加密进行加密,而后者内容则以明文形式发送。

至于性能:从上面提到的几点来看,您应该很清楚一分钱一分货(使用 CPU 周期)。

为了“灵活性”,我会选择:嗯?

The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!

To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).

It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.

However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.

As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).

For "flexibility" I'll go with: huh?

夏末 2024-07-20 22:57:13

摘要式身份验证仅加密身份验证凭据(即您在浏览器的身份验证对话框中输入的用户名和密码)...SSL 加密页面中的所有内容。 因此 SSL 的效率会较低,而且设置起来通常也比较复杂。 但 SSL 确实有一个优点,即如果双方拥有受信任的证书,它可以让双方验证彼此的身份。 HTTP 摘要身份验证不会执行此操作,因此在不使用 SSL 的情况下使用 HTTP 摘要时,您并不真正知道向其发送登录信息的服务器是正确的服务器还是冒名顶替的服务器。

Digest authentication only encrypts the authentication credentials (that is, the username and password you type into your browser's authentication dialog)... SSL encrypts everything in the page. So SSL will be less efficient, and it's also typically more involved to set up. But SSL does have the advantage that it lets both parties verify each others' identities, if they have trusted certificates. HTTP digest authentication doesn't do that, so when using HTTP digest without SSL, you don't really know if the server you're sending your login info to is the right one or an imposter.

太傻旳人生 2024-07-20 22:57:13

HTTP 摘要身份验证的某些服务器实现强制您在服务器上保存明文密码,更好的实现保存 username:realm:MD5(username:realm:password) 这具有 加盐存储的密码,如果攻击者获得了密码文件,这可以提供一定的安全性。

Some server implementations of HTTP Digest Authentication force you to save the cleartext passwort on the server better implementations save username:realm:MD5(username:realm:password) this has the effect of salting the stored password which gives some security if attackers have obtained the password file.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文