--On July 31, 2005 2:34:05 PM -0400 Stephen R Laniel <steve@laniels.org> wrote:
On Sun, Jul 31, 2005 at 07:36:16PM +0200, jonathan gonzalez wrote:SSL/TLS is the socket/transport layer security and auth digest is a challenge-response process usig no-clear text credentials. How? The most of the web explorers can pass credentials from forms to the server either in clear text or hashed (MD5), and my propose was do it hashed.But if everything's already encrypted with SSL, then it doesn't matter if the credentials go over the wire in the clear, right? They go over as cleartext, but cleartext embedded in an encrypted stream. If they go over hashed as MD5, that's encrypted MD5 atop encrypted SSL -- redundant encryption. No?
WEll the other part of the MD5 theory (and it's a message digest, not encryption) is that you never pass anything that would allow the remote side to recover your plaintext password, nor to authenticate with your credentials elsewhere. (that's the theory...a smart enough proxy could do it, but only on a one for one basis -- one auth/challenge, one login somewhere else -- by passing through the challenge)
So, there is argument for using both, SSL encrypts ALL the traffic on the link from bystanders, MD5 protects you (atlest limitedly) from a rogue endpoint. Neither can protect against sophisticated enough Man-in-the-middle attacks.