HTTP Digest Authentication versus SSL


What is the difference between HTTP Digest Authentication and SSL from a performance, security and flexibility point of view?

Best Solution

The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!

To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).

It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.

However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.

As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).

For "flexibility" I'll go with: huh?