pbiering
commented
4 weeks ago this requires cleartext passwords on server side and they need to be protected by a master password then: https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html
Open neirbowj opened 7 years ago
pbiering
commented
4 weeks ago this requires cleartext passwords on server side and they need to be protected by a master password then: https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html
neirbowj
commented
3 weeks ago @pbiering, thank you for your attention to this feature request.
I'm having trouble understanding what the label, need support, means. The list of labels includes no description for it. Is there something I could do to help?
pbiering
commented
3 weeks ago @neirbowj, updated some label decription, in this case contribution is required by others to implement support of the feature, it would need
htpasswd filehtpasswd file like e.g.
exampleuser:{ENC/KEY/<number>}<base64-encoded cryptogram>
In the interests of defense-in-depth, this feature request is for "Digest Auth" on the front end of the server so that the user's password is never sent to the server. This would limit exposure of secrets in the event that a client is tricked into connecting to an inauthentic server, as might happen on a network with a captive portal or transparent proxy, not to mention various attack scenarios. While there are known effective attacks against Digest Auth, it is a significant improvement over Basic Auth. My hope is that this request might focus attention on architecture work that will pave the way to stronger front-end authentication protocols in the future.
Thank you for your kind attention and your contributions to the world of free, open source software.