[Moin-user] HTTP AUTHENTICATION security

[Thomas Waldmann]

> Trouble is, I'm not using SSL.  As far as I can see this means that 
> passwords will be transmitted in cleartext from the browser to the 
> server, which is a terrible security hole.  Am I correct in this?

For "http basic auth" this is correct.

For "http digest auth" it is at least transmitted as MD5(password).

Google finds e.g. this:

http://www.caucho.com/resin-3.0/security/digest.xtp

> is there nothing to be done about this except use SSL?

Guess why everybody wanting a REALLY secure login does it by https. :)