IE, Apache Clash on Web Standard
eWEEK Labs discovers that Microsoft's Internet Explorer 5.0 and higher and its IIS Web server have a significant security incompatibility--caused by how Microsoft has implemented digest access authentication--with other major Web browsers and with the ApaeWEEK Labs has discovered that Microsoft Corp.s Internet Explorer Version 5.0 and higheras well as the companys IIS Web serverhas a significant security incompatibility with other major Web browsers and with the Apache Software Foundations Apache HTTP Web server. The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose. The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldnt be used as a client for any Internet Information Services-based Web application that uses digest authentication. (We tested this with Mozilla.orgs Mozilla 0.9.9, Opera Software ASAs Opera 6.01 and the W3Cs reference browser implementation Amaya; Netscape Communications Corp.s Navigator doesnt currently support digest authentication. Static Web pages are not affected by the problem.)
Digest authentication hasnt had a big impact so far because it is a relatively new technology: IE 5.0 and IIS 5.0 (part of Windows 2000) were the first Microsoft products to support it. Mozilla, the foundation of the Navigator browser (and possibly the Web browser used in America Online Inc.s next client upgrade) gained digest authentication only in late December.