Women in Technology

Hear us Roar



Article:
  Serve Your iCal Calendars Using WebDAV
Subject:   Digest vs. Basic Authentication
Date:   2002-09-24 07:52:00
From:   eray
Thanks for the feedback from everyone. As author of this article, I want to address the security concerns of using basic authentication. It's true that digest auth is better because it uses strong encryption to protect the username and password. However, the version of Apache that ships with Mac OS X 10.2 which I use for my server is too old to implement digest auth correctly. It uses the deprecated mod_digest module instead of the correct mod_auth_digest shipping with current versions of Apache. I'm not sure why Apple is sticking with the out of date version of Apache and modules, but perhaps they will remedy that situation in the near future (I hope so). My attempts to use iCal with the older module failed, so I was left with only the basic auth option.


If you're doing mission critical work, you definitely should use strong encryption. But basic auth has been used for many years and is only just beginning to be phased out. I think that for purposes of experimentation it's probably okay to use basic auth, but you're on your own. I've requested that the editors add a cautionary statement to the article to make sure people realise the risk.


Thanks for reading and sorry for any confusion.



Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • Digest vs. Basic Authentication
    2002-09-24 14:56:55  mrprofessor [View]

    It's true that Apple ships their version of Apache 1.3.x with the obsolete mod_digest module (which doesn't work with their own iCal product). Curiously, Apache ships 1.3.x with the up-to-date mod_auth_digest.

    You can get a precompiled version at:

    http://mithras.homeunix.net/downloads/mod_auth_digest.so.tgz

    Install it in some convenient location (like, say /usr/local/libexec) and replace the loading of mod_digest in your httpd.conf file with


    LoadModule digest_auth_module /path/to/mod_auth_digest.so

    and

    AddModule mod_auth_digest.c

    After that, you should be good to go with digest authentication.
    • Digest vs. Basic Authentication
      2003-01-15 14:14:32  anonymous2 [View]

      Can't get to the mithras.homeunix.net site. Any ideas of where else I could find this module?