Why is there no adoption of RFC 7616 (HTTP Digest Auth)
Most sites don't use any of the HTTP authentication mechanism, i.e. Basic Authentication or MD5 based Digest Authentication, because these mechanisms are very limited in what they offer. It is not even possible to logout using these authentication mechanisms.
But even the few sites which use HTTP authentication usually prefer basic authentication over HTTPS instead of digest authentication, since the last one requires that the passwords are stored at the server as plain text or equivalent, which of course is bad from a security perspective.
Thus the only advantage digest authentication has against other authentication forms is if is used with unencrypted connections. In all other cases it is worse than the other established ways of authentication. But, any kind of login over insecure connections is considered bad anyway today. Therefore there is no need to slightly improve an already bad authentication mechanism without addressing the basic problems of it, i.e. the necessary plain text (or plain text equivalent) storage of the password.
Apart from that the weaknesses of MD5 like a bad resistance against collision attacks and pre-image attack don't really affect its use in Digest authentication, i.e. it is still suitable for this use case when used together with a proper random server defined nonce.
That is a great find, I was not aware of HTTP Digest with SHA hashing
HTTP Digest is great because:
- it is simple to set up [1]
- the hash method is officially documented
- you never need to store the user's password, just the 'H(A1)' [3].
- thus you cannot screw it up
HTTPS+Basic auth is not so great:
- proper set up is hard and costly [2]
- barrier to entry for newbies, who end up having to rely on SSL providers
- centralised, can enable undetectable snooping by rogue CA
- provides a false sense of security
- no general guidance of how to store credentials securely
Potential reason is that they want to consolidate control of the web, since SSL certificate issuance is centralised.
If you want the best security use HTTPS AND HTTP Digest at the same time. And DO encourage vendors to implement the latest RFC.