eWEEK Labs discovers that Microsoft's Internet Explorer 5.0 and higher and its IIS Web server have a significant security incompatibility--caused by how Microsoft has implemented digest access authentication--with other major Web browsers and with the Apa
eWEEK Labs has discovered that Microsoft Corp.s Internet Explorer Version 5.0 and higheras well as the companys IIS Web serverhas a significant security incompatibility with other major Web browsers and with the Apache Software Foundations Apache HTTP Web server.
The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.
The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldnt be used as a client for any Internet Information Services-based Web application that uses digest authentication. (We tested this with Mozilla.orgs Mozilla 0.9.9, Opera Software ASAs Opera 6.01 and the W3Cs reference browser implementation Amaya; Netscape Communications Corp.s Navigator doesnt currently support digest authentication. Static Web pages are not affected by the problem.)
Digest authentication hasnt had a big impact so far because it is a relatively new technology: IE 5.0 and IIS 5.0 (part of Windows 2000) were the first Microsoft products to support it. Mozilla, the foundation of the Navigator browser (and possibly the Web browser used in America Online Inc.s next client upgrade) gained digest authentication only in late December.
After eWEEK Labs alerted Microsoft to the discovery, a Microsoft spokesman stated that the company has identified the issue and will work on a fix. However, the representative also told eWEEK Labs that "the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly."
Paul Leach, Microsofts representative to the W3Cs digest authentication standards committee and one of the specifications authors, attributed the problem to how the definition of one part of the digest authentication header conflicted with other statements in the standard about how the header needed to be built. Microsoft went one way; everyone else went the other way.
Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.