A bug in IE

By Timothy Dyck  |  Posted 2002-03-18 Print this article Print

?"> A bug in IE? "It definitely looks like a bug in MS IE," said Apache Software Foundation Chairman Roy Fielding, in Newport Beach, Calif. "We will not change our implementation in order to accommodate this bug, since it could be considered a weakening of that digest authentication feature."
In eWEEK Labs opinion, the Microsoft implementation is not a security hole, but security needs to be more than just patching leaks—its also about ensuring that critical IT infrastructure products can interoperate securely.
Digest authentication will be especially important as Web services proliferate. It is far more secure than the other standardized alternative—basic authentication—which sends user names and passwords in plain text over the wire. Microsoft customers do have another option, the Microsoft-proprietary integrated Windows authentication, which provides wire-level security similar to digest authentication. However, this works only with Microsoft Web browsers and Web servers. It cannot be used if Web clients send requests through a proxy server, which digest authentication can handle. For developers who want to build truly interoperable secure Web applications, the only available option is to encrypt all data between a Web client and server using SSL (Secure Sockets Layer) and to fall back to basic authentication. This is a secure option, but digest authentication is a valuable middle ground between almost no security (what unencrypted basic authentication provides) and complete SSL encryption, with its considerable CPU overhead, more complex configuration, and associated recurring administrative costs of getting and maintaining a valid SSL certificate. In fact, our desire at the Labs for just such a middle ground was how we discovered this problem—one that has not been reported before, according to Scott Lawrence, one of RFC 2617s co-authors and maintainer of the specifications official errata list. eWEEK Labs West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ziffdavis.com. Related stories:
  • Microsoft Patch Repairs 6 IE Flaws
  • Security Flaws Found in IE 6.0
  • Apache Avoids Most Security Woes
  • IE 6.0: Big in Name Only
  • IIS: Stay or Switch?
  • Fed Up With IIS

    Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel