Open rojer opened 1 year ago
Discussing this with colleagues it's been our hope to eventually be able to deprecate HTTP authentication. So it's a bit surprising to see continued investment from Google.
Could you please elaborate on the motivation behind this?
So it's a bit surprising to see continued investment from Google.
This issue (and the related intent) wasn't sent by a Google employee - so the "from: Google" label is incorrect.
Thank you for the correction! I guess we should be following blink-dev to figure out what Google thinks of this.
@annevk yeah, i'm not affiliated with Google. HTTP digest authentication is still useful and being useful on small footprint devices as an easy way of securing access to a web UI. in particular, TLS+basic is usually not available there due to lack of a trusted certificate, TLS implementation or both, and digest gives at least a modest improvement over plain basic or form-based authentication. our company produces small-footprint devices, and i would like us to eventually move to a better digest algorithm than MD5, that's all.
It's not clear to me how you can be safe from network attackers without TLS?
with plain basic or general cookie auth network attacker gains persistence: they can intercept the credentials and maintain access even after they no longer have access to network traffic. so it's not absolute protection but fair bit better than sending credentials in plain.
WebKittens
No response
Title of the spec
RFC 7616 Digest auth: Support SHA-256, SHA-512-256 and user hashing
URL to the spec
https://datatracker.ietf.org/doc/html/rfc7616
URL to the spec's repository
No response
Issue Tracker URL
https://bugs.chromium.org/p/chromium/issues/detail?id=1160478
Explainer URL
No response
TAG Design Review URL
No response
Mozilla standards-positions issue URL
No response
WebKit Bugzilla URL
No response
Radar URL
No response
Description
Blink intends to add support for modern digest algorithms for the HTTP digest authentication, as specified in RFC 7616. No major impact is expected, and Firefox already supports them since 93. I've been asked to seek WebKit's opinion on the matter. For reference, the Chrome status entry is here, blink-dev discussion thread is here. Proposed code change is here.