Use HTTPS for HTTP Digest Authentication

Question

I was wondering if there are any downsides to using HTTPS with HTTP Digest Authentication. I chose HTTP Digest because its fairly easy to incorporate for an api but its not the most secure because it uses MD5 and it is susceptible to Man in the middle attacks. Would combining HTTP Digest Authentication with HTTPS make a better solution or a bad one. I would greatly appreciate any advice. Thanks

Answer 1

Use of HTTP Digest authentication is definitely better with HTTPS as the encrypted tunnel is formed prior to sending the credentials. This (partially) negates the risk of MITM that basic auth and digest auth create.

Of course, if your system is built such that a client can accidentally hit an improper endpoint or still access it over HTTP (rather than just not listening on 80) then the credentials will still be transmitted insecurely.