HTTP digest authentication vs. HTTPS basic authentication

Question

What is the difference between HTTP Digest Authentication and HTTPS basic authentication from a performance and security point of view?

Answer 1

From a performance perspective, https requires that everything be encrypted: Request, Response, and credentials.
This is, of necessity, more server overhead (CPU/time, RAM) than HTTP Digest Authentication, which simply hashes the AUTH credentials so they can't be easily intercepted/stolen.

So all other things being equal, https + Basic Auth will be slower than http + Digest Auth.
How much slower? Probably not any amount you're going to notice, beyond the initial connection and SSL handshake.

---

The remainder of this answer is completely stolen from the top answer on This Stack Overflow Question covering the exact same material.

The pros and cons of HTTP Digest Authentication are explained quite clearly in the Wikipedia article on the topic -- you should read that!

To put it bluntly: HTTP Digest Auth will only protect you from losing your cleartext password to an attacker (and considering the state of MD5 security, maybe not even that).

It is however wide open to Man-in-the-Middle attacks and also -- depending on the implementation, since most of the advanced features are optional -- replay, dictionary and other forms of attacks.

However, the biggest difference between an HTTPS connection and an HTTP connection protected by Digest Auth is that with the former everything is encrypted with Public Key Encryption, while with the latter content is sent in the clear.

As for the performance: from the above mentioned points it should be quite clear that you get what you pay for (with CPU cycles).

For "flexibility" I'll go with: huh?