Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


IE, Apache Clash on Web Standard



 By: Timothy Dyck
2002-03-18
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. IE, Apache Clash on Web Standard
  2. ' A bug in IE'

Rate This Article:
Poor Best
IE, Apache Clash on Web Standard
( Page 1 of 2 )

eWEEK Labs discovers that Microsoft's Internet Explorer 5.0 and higher and its IIS Web server have a significant security incompatibility--caused by how Microsoft has implemented digest access authentication--with other major Web browsers and with the ApaeWEEK Labs has discovered that Microsoft Corp.s Internet Explorer Version 5.0 and higher—as well as the companys IIS Web server—has a significant security incompatibility with other major Web browsers and with the Apache Software Foundations Apache HTTP Web server.

The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.

The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldnt be used as a client for any Internet Information Services-based Web application that uses digest authentication. (We tested this with Mozilla.orgs Mozilla 0.9.9, Opera Software ASAs Opera 6.01 and the W3Cs reference browser implementation Amaya; Netscape Communications Corp.s Navigator doesnt currently support digest authentication. Static Web pages are not affected by the problem.)

Digest authentication hasnt had a big impact so far because it is a relatively new technology: IE 5.0 and IIS 5.0 (part of Windows 2000) were the first Microsoft products to support it. Mozilla, the foundation of the Navigator browser (and possibly the Web browser used in America Online Inc.s next client upgrade) gained digest authentication only in late December.

After eWEEK Labs alerted Microsoft to the discovery, a Microsoft spokesman stated that the company has identified the issue and will work on a fix. However, the representative also told eWEEK Labs that "the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly."

Paul Leach, Microsofts representative to the W3Cs digest authentication standards committee and one of the specifications authors, attributed the problem to how the definition of one part of the digest authentication header conflicted with other statements in the standard about how the header needed to be built. Microsoft went one way; everyone else went the other way.





  Reader Comments: IE, Apache Clash on Web Standard
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Timothy Dyck
 


xr㶲0;; ʷ♵MR-b[^fI*EBc")_&gy 7](ɗ>ĶD 74$sW7-gL.\sfS;uA@ Y>%>{ '(+o1mnf]( _hoL|Aშ :#:D.Pk< Z5754o/ne0S.ڎIQ>*VOմH>ڴQ$1q@P.w@~Th \2ITߦuB)R=2tНS[BT Kt/"(?F#&s?9; Ț_h@Q50NK <[< C5nCUVekF֠}lui!l 1!o ݿ!HjRvnwo\ 25I2C[0,HmfCcW`pmׇɩVsTq3#}jݷt{#ԷF:SSC3MuN_CPI'6qVR#/y y>z u<-YV5^q;ݙcoE-2GlR =y7`BaCJ&5\_-׉E&>5 ؗY͢@eʆ}{ʾVWR\W}`[BUzEÝ|k47;W)EsvU ! mݹWඒk%ms|uO}~A6ox9vtx/o0*% ZJ4_::~\NB^$9@FI?n/jy#Բ_/iv$f1{P$!XI#F/XTUGb9괏'򳩥}o__]wzmo]wڧH>bPk5Mz"1h ؕ3Bz ,7'7ϗ7˓MvIsCR|BCj`BәcYqmU?Zv\= x6~l M u ôW+ZᇓqULBxy$Y)Izֿ8'} ,-)Ttܿ/Rzhf5 x CX&%Ge)":u %ͪ5V ~[PĿ"E/F].7kDm,-Ⱥs5ͷwf;]g'჎(>h&ƋCriYnL,rӇtw@>~N{ݧn]>'tfo/*Abχ@& ahMi5 >DAЂMtT;n]`2Zw9ܻ-(; hk = `DyKwCPb(=զA{Tgg,zC k 6G~[>l03QA\QzODȧI.BD(ZH"!Aly [$t XV(V  ar Tt@Gҹ;vjP)hJ9cb -x[b}ILgF2+ɨɬaX91yMf#T`"[/Kᙖ&J9okՒVIxF E=4!ޙIj[iSwӿi  |kV WpG 9#rQϚX %<9.ƲB"5_uSҚʸ*2$,T4?ՌgaI8F:b9i%nQ?KĝR48%1NasW|]ӨڞӬY Uo[9Tikk)R?![p5|a׼2F]RYBKPDlHfc/XKKezl8&E2LG%E?io kSkdQ36qoaQ5 KJYMj_>OڹeK(Ք6 [IFlx |MKߵ("==r3CO\C618yRf&n \t+ˀ9\GUmg`m1Lx>x# d\46(V,'`#Cҵ; ¢w^\Sv˖?~F|4^ۄ#V!0\ zD30`,e?BG_&]1VW=ZSYdX(%UMpl"zd\s˰e0|j}\v1+ܸ~$QK!VȅB瀛*,ZC/gç!V $ļkiPzP* `k_.ϳ1 !ܕVR5󈻬SwhlrKcJRE}Xo{" Qքc'MXtyEW>Ґ!as`Ez . Z 0DrIa TWk`//7]K aE"%1ڣ>s!a*/w+ f)\|;Ogz^*k :ЪZZ:Ύ^WYP2<Œ&PaLL:w?g`̦v_߯XdV'#?ҍۙ'j*r1_?M= [LFzɖ0'`{' Yn:ajAyIxP.-W4'iwṛ: ߀&?\qc`a} 2"G=n $p5)zS(j :H$ 3YˡYF 3_6^u, ς2yc_7)~|$DC>km{~BKe U'7-RV%%^ͳ!ݓXm0BS\r8+ps)p}/O &PFzM%P]8TV<^ۋ953קAHLf@= P3ti q5;fGXh;γ!ڴiH@kXPq+$eZ]J֟'vuPpz]GK eṚTTWFooy!A"wP)߭~*9WIP5 ]Uj; s 4a!`\?=bEOP?n ]^*~ t9CT`|"@`'d8֎o -"Ԅ6xtLaV*7xA!RDC$ |*ͤ D^E2Aint/x렘Yga Kx87syT ,Z~xty"u.ZTc4s!6:g5ރ `i8FjxHCL>jnW۫ItaOQ區^9 us)d}=^C|sٖҽNW's9B AH,FW!zۭlfS k3d8) xdqH/=^q@ڊ ҽ>i_sb빨kNZ _k=WE.7(aF`Y;²VXHy`&|C*tzc}E9,{B,2q]ć2sy96^SF(+bK"$DY \g'ufhDu~kGnr~#<B<MxD GBY{pXTJ븕vI3c~:)}A/m9˝~H (9o "lSkԛ2L:1D&rޚSD[Bc}OӆO\fax!ul q%ӝr* BٸEO[ ,jm-̑s8'SѤ4 AgJȄbye5a35R!MLCYOC/$$a;+B6zs giMO6mn3jt.>n6DrFL`ql)HZQ"A|J| 9nG@)RpG[(#]Clb%hղoeW!؁|Ds`c=C!D!QFrVTzaUu&Ա0@ktH.\<;n; WS漊eFnOa7pϲl^ta9`|;p='5];HƸ DucBA=ѧǂ f A] jMZ%79a5L`aE8F<.%g-;-GN'~.@ 6W{$ N FP ߽?Fq>P]Yz$AC~g}\0n;z{w7|Of0w+iv;}pܶ2M3}ݾJf9K^dΠt4s !F.`0.s!T x:o~˸aW*]c{*{7wo]VZtCqB1nVx/)&%ϓyL @OKtGY_BQKwv{Y"V0N ئw=13Y#Ÿ6!{ Rf;滂; `!3("а5m {8g 05@*Yv4..߮ B;FJX<[N>۴rUCaUk§ ,'iƿ'qFԱQo*o_O6oN{cA|3 e\OcR* wXR|  .w?FӞ܊|NEAa˸E%ÖdN._靈pk2'[g9,ˊS Lt4/tk4W, ]޽>9ׇt!tz1T[1!庢|pozyx>kc8|#֘'1* 7c<Iד8O(`BlAWWAg)_ML R]l!1T4q{Nkg$ %ā&mF 6O;1G8VN69 Y1u忥>}K*KxdI ]{ 9܏p޴ۿH, z}_ժf&<}xF7[=%iON]ew/&![>MƔuN }!Zn%*@Lt$J N4`"G٘0A? :}-li>miE6&K)r0FsW˶uK \h=[H}0%u_ &*y%.)ljF"<#DM`*ODL/>An+/E|JU.H}sJ'0V$=NZժF} ,K#BF7Au^?@CMiz4iK5H~&rN@5Fc(ap[6 In:۵כ.f|@`\Sbna*ZZHhppq1 8m "%&nnU5MKS3O߁yf;(Il=( \q~^L/E L%OO lei-;7Au/EB|"vυ=j*re'];c>=q 1wsl&LHH"H}BhbvhhE$~y5 m#Ow Yenɼ zā_`иu[W.]`>AnNRU+ xhh"k84-uX椏IL=7s{K%Kzo0\StXJR ,%QNXKR >-`۟E0|i3Yؕd?N| aEvn݁8{ r|x8{E$?cWpIQFX3tYܒoU(->c]Cm t(/^!W{ȏR++p_M %C vvNa *ndn|R:ߘo<57kG s׳l̀n-rmΛߧ 7+G-^.Uoъ s7)P S>V 7)#3z}5opр7esjڿ1p-ot?@$f1*Z_G|CӜ;!\wWs @nnon~\-uK NX}fZ =يbmjkC"\)PRTJ/^LBKo8ی3f#k<s<h<Bã檙El.eH@ģ< 15[ >YTo16{y~}%UX gRUUT[/wWQDJQcV AEU!  ț @Eܪ^ǜҒ#ןJx_zt'4zڦk:UQh:ޠh͍}|N~Eww٧TCy.zL" G@M!jl09ULct$7=OpR#n2Uňk(G>?ės`:Z-GiRs^b(.![̐5|55 hF!@]o~4,Y|u~rJu1w> 8} mq}j*bdfiAh!Fv;Kb+. 6Q{F$Cݸt9|Mnd @`ע >&lZO'q/%+L֌G "K&5\@FPxI0(O3, ^:JW15ǜS˽.\(IQ,:+Ȓ~We=^^@֋+ nMUJ9t{`ɧj_\UBI ̀kZk>A{76}jkbxm;Xÿ́kkab];Xif5yJ)~,y -JYՉJ_ֽ辎wCjLx 8EO>ee\\eܥ.HOL<Эq0e_F ?'3*,nn$XZ$2)lxzT¿u/FʋzhNClv/>VHՕܿкextA߀J"r[-%iv#:&0* >&qJ#?+){ڞUާ.hpqڀkcEl~%:xd<~N`_~#= n̸9ӆl boEҖIv# ,Ő?Ǯ,H`36# p7CsN.7v߾U Ciѝ]T70GT*0 < ;5&g|tH ]\W S tga/v'ŐSeA??­!~R)Qw3Ď2D׫l<ч9\<cuA9w25ypW %awe~t:cfé-ݳ5KnltQQ({b:M u?.)nNL )r~NR] $Bq0ӜhpwtEğ 1ºޛXF #~aP8\  +z+uT'I]W@)q_4mKLxte$AN/[mf(NT3\H^Eǒ<^;KwEGcq~^cw t$;5U6ürWzuL[OA~iJjm85g5^L7#Ǯ#u>ԦF(p:j0CP܄qP b>^ Ȥou[@9@/9Ao9P~)By7)pp)?姀|OPiuY<.r_'\C;9Wh)_Vug(W3π9rߛorڿɡ=>k]T(RhK "S^9,.Osţu.TlCg6m'[ *8z:RMw ߽,R tCc,>x'O!45EL=#>}38]7n8ڜ8w n )xT-kZYoZԪw俓kvO5h=""CwP*R'Ӏe`_)&K<3 .=M^ed fMȡ!pCfJC#DK(x>[xc6LzL˘͛ˌ)æʗᄽJ/$` f@2b'`{z58Y0`ٳ6VI2hؐ,sv[F8 c| 3˻O,OStV0\9 hw `Mz4z<8ֿbbcx uY<'Ë.LzQ$pgB͛KlA x KQ,V+7 k`Ver-c2O-5U,%O|w&aɉF͑yC2X)43G}@ӟyCexMϧ }% ]op1q6`t ޺Ccj$d V$G3x7X05:%wYqqs2&6 u;ݙ)a,<T#0? FӥsX00wYW .ߒ'/Հ`mߛ(8 ь=E$2ޟ|1~-pIi/ 0S\.1/亄mK_13cjxNz !螔0!Kb W>[l,)1 {;KH6D`躷O 챧04%IABW䁝' A'|NbOh)FыpaHzBG=Xϑ9}8p9o"s&ze Th<S˚H1y![I%IfZD.Tsmqm \׆1> V_dvO~-B+*π 8H2Gd!᳤c9"=>(#.X&">m<'6}Fu;H"@cx nj65Tc 2|?OGe Mt8=B3 ܐ}olI C_z 9@/7A{} r@cEߟ2"L)Ԧ?MSw)+],by Y3M` p#Q#*^g ͜5%S+~`[wt)(5x2;v͆Le(\v /-GJWBpCɖ)tO˟!?M͌A5`/9H,]S(\n)ZF1uBR(at@L?Ua˟]|TIٶ7(G,cմ Qa[:6 Vn ۲ Uy˷DM\7-'my#Q1W)v$ѿbpfו޳s+o5ȉe6뙣|NN7pA}K\kXI@ Ik-.,wvUa4,Lb1"[\'QI 8`RжX3,@a)5|dn~ӧ4pRaL $b[иS!aa؄;66BJ:6L]_X PWe!