This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
All data between the client and the server is encrypted.
Is the above statement true when you are using DISEST? The answer says it's false. But, according to the servlet spec
Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However the authentication is performed by transmitting the password in an encrypted form which is much more secure than the simple base64 encoding used by Basic Authentication,
i dont think "all" the data between client and server is encrypted. Digest auth just doesnt pass the password as clear text/base64encoded. Quoting the purpose of Digest access authentication as per Section 3.1.1 of RFC 2617
The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme. That scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form. This section provides the specification for a scheme that does not send the password in cleartext, referred to as "Digest Access Authentication".
The Digest Access Authentication scheme is not intended to be a complete answer to the need for security in the World Wide Web. This scheme provides no encryption of message content. The intent is simply to create an access authentication method that avoids the most serious flaws of Basic authentication.