lighttpd: say no to digest authentication

| Comments

There are a lot of blogs/tutorials/notes on how to set up digest access authentication in lighttpd. Well, one thing they may miss is that it is just broken for several years.

Digest access authentication is specified by RFC 2617. It is sort of between SSL and the basic authentication — lightweight, easy to set up, while resistant to replay attacks.

It works as follows. When the client first requests a protected resource, the server responds with 401 Unauthorized, as well as realm and nonce. Then the client needs to send a second request with the response value for authentication, which is computed from password, the nonce, etc., as follows.

Here nc is short for nonce count and cnonce is client-side nonce, both of which are optional.

An attacker that is eavesdropping the traffic cannot guess the password, nor can the attacker replay the request to the server since the nonce value would be different each time.

The problem with lighttpd’s mod_auth is that it doesn’t verify the nonce in the client’s second request is the one it generated earlier, which means that an attacker could use any nonce to bypass the digest authentication. Thus, the digest authentication is basically equivalent to the basic authentication in this case.

The lighttpd developers pointed me to their wiki.

The implementation of digest method is currently not completely
compliant with the standard as it still allows a replay attack.
(i.e. not secure)

Seriously, do you really have to teach people how to configure digest authentication but hide the sentence in a bunch of small bullets? ;-)