[Moin-user] HTTP AUTHENTICATION security

Thomas Waldmann tw-public at gmx.de
Thu Feb 16 08:50:05 EST 2006

> Trouble is, I'm not using SSL.  As far as I can see this means that 
> passwords will be transmitted in cleartext from the browser to the 
> server, which is a terrible security hole.  Am I correct in this?

For "http basic auth" this is correct.

For "http digest auth" it is at least transmitted as MD5(password).

Google finds e.g. this:


> is there nothing to be done about this except use SSL?

Guess why everybody wanting a REALLY secure login does it by https. :)

More information about the Moin-user mailing list