Hacker Newsnew | comments | show | ask | jobs | submitlogin
nicwolff 450 days ago | link | parent

Shoots down Basic auth without SSL, without mentioning Digest auth, weird.


tptacek 450 days ago | link

I'm not sure I've ever seen a scenario where digest authentication was a win.

-----

chunsaker 450 days ago | link

That's a good suggestion - will see if we can add a para about it. We use digest authentication, fwiw.

-----

lhazlewood 450 days ago | link

There are many types of digest authentication - OAuth1.0a and Amazon's and Stormpath's custom schemes are examples. Browser-specific digest authentication wasn't covered however since the article was about REST APIs and most REST clients are not browsers.

-----

bct 450 days ago | link

I'm pretty sure he means RFC 2617 Digest authentication. There's nothing browser-specific about it.

-----

lhazlewood 450 days ago | link

I gathered as much. But in practice, how often do you see RFC 2617 Digest authc used in non-browser scenarios? (I'm genuinely curious. I haven't seen it used much at all outside of web browsers, so I'm curious what others may have come across).

-----

bct 450 days ago | link

I've written Atom Publishing Protocol servers that use it. It's not badly-suited for non-browser tasks (although yes, SSL and Basic is much simpler - if you don't mind paying for the certificate). It's unusual, but it's pretty unusual to use it (or Basic) for web browsers these days, too.

-----




Guidelines | FAQ | Lists | Bookmarklet | DMCA | News News | Bugs and Feature Requests | Y Combinator | Apply | Library | Contact

Search: