IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security Reviews

IE, Apache Clash on Web Standard


By: Timothy Dyck
2002-03-18
Article Rating:starstarstarstarstar / 2


There are  user comments on this IT Security & Network Security News & Reviews story.



  Table of Contents:
  1. IE, Apache Clash on Web Standard
  2. ' A bug in IE'

eWEEK Labs discovers that Microsoft's Internet Explorer 5.0 and higher and its IIS Web server have a significant security incompatibility--caused by how Microsoft has implemented digest access authentication--with other major Web browsers and with the Apa

IE, Apache Clash on Web Standard - ' A bug in IE'
( Page 2 of 2 )

?">

A bug in IE?

"It definitely looks like a bug in MS IE," said Apache Software Foundation Chairman Roy Fielding, in Newport Beach, Calif. "We will not change our implementation in order to accommodate this bug, since it could be considered a weakening of that digest authentication feature."

In eWEEK Labs opinion, the Microsoft implementation is not a security hole, but security needs to be more than just patching leaks—its also about ensuring that critical IT infrastructure products can interoperate securely.

Digest authentication will be especially important as Web services proliferate. It is far more secure than the other standardized alternative—basic authentication—which sends user names and passwords in plain text over the wire.

Microsoft customers do have another option, the Microsoft-proprietary integrated Windows authentication, which provides wire-level security similar to digest authentication. However, this works only with Microsoft Web browsers and Web servers. It cannot be used if Web clients send requests through a proxy server, which digest authentication can handle.

For developers who want to build truly interoperable secure Web applications, the only available option is to encrypt all data between a Web client and server using SSL (Secure Sockets Layer) and to fall back to basic authentication.

This is a secure option, but digest authentication is a valuable middle ground between almost no security (what unencrypted basic authentication provides) and complete SSL encryption, with its considerable CPU overhead, more complex configuration, and associated recurring administrative costs of getting and maintaining a valid SSL certificate.

In fact, our desire at the Labs for just such a middle ground was how we discovered this problem—one that has not been reported before, according to Scott Lawrence, one of RFC 2617s co-authors and maintainer of the specifications official errata list.

eWEEK Labs West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ziffdavis.com.

Related stories:

  • Microsoft Patch Repairs 6 IE Flaws
  • Security Flaws Found in IE 6.0
  • Apache Avoids Most Security Woes
  • IE 6.0: Big in Name Only
  • IIS: Stay or Switch?
  • Fed Up With IIS







     
     
    >>> More IT Security & Network Security News & Reviews Articles          >>> More By Timothy Dyck
     


    • FEATURED SPONSOR VIDEOS

    Benefits of Workload Optimization

    What Smart Companies MUST Learn from Gaming

    Advances in Authentication

    Vertical Markets Benefit from Workload Optimization

    View More Videos

    Brought to you by
    Advertisement

    FEATURED SPONSOR MESSAGE

    Microsoft Sponsored Resource Center

    Increase Your Microsoft Office 365 Knowledge! Dig inside this suite of cloud-based collaboration tools.

    Watch the video >>

    Brought to you by

    Suggested Related Content:

    Articles Labs/How-To Multimedia


    Advertisement
    Contact Us | About | Advertise | Site Map
    eWEEK Quick LInks

    Security:
    Enterprise Networking
    Network Security
    Infrastructure Security
    How To: Data
    Security Watch Blog
    Storage:
    Data Storage
    Cloud Storage
    Storage Virtualization
    Network Access Storage
    How To: Storage
    Storage Station Blog
    Computing:
    Apple OSX
    Linux Systems
    Windows 7
    Managed Print Services
    Computer Reviews
    Microsoft Watch Blog
    Google Watch Blog
    Communications:
    VoIP Solutions
    Wireless Technology
    Messaging Software
    Web Services
    Apps & Development:
    Application Development
    Enterprise Apps
    Search Engines
    Database Software
    Web 2.0
    CIOs

    Vertical Markets:
    Federal Government IT
    Health Care IT
    Finance IT
    Mid-Market
    Channel and VARs
    Careers Blog
    More eWeek Links:
    Green Computing Center
    Tech Knowledge Center
    Tech Newsletters
    Tech RSS Feeds
    White Papers
    Tech Videos
    Magazine Subscriptions
    Enterprise Websites:
    ZDE Home
    eWeek
    Baseline Magazine
    Channel Insider
    CIO Insight
    eSeminars and Events
    Web Buyers Guide
    Developer Websites:
    DevSource C# and .Net
    Dev Shed
    DeveloperShed
    ASP Free
    SEO Chat
    Codewalkers
    Tutorialized
    Scripts.com
    Dev Mechanic
    Dev Articles
    Web Hosters
    Dev Hardware
    Technology Websites:
    Device Forge
    Desktop Linux
    Linux Devices
    Windows for Devices
    PDF Zone
    Linux Watch
    TechDirect
    Windows Migration
    Smarter Technology

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
    ZDE Cluster 5
     
    Close this advertisement