A bug in IE
?"> A bug in IE? "It definitely looks like a bug in MS IE," said Apache Software Foundation Chairman Roy Fielding, in Newport Beach, Calif. "We will not change our implementation in order to accommodate this bug, since it could be considered a weakening of that digest authentication feature."Digest authentication will be especially important as Web services proliferate. It is far more secure than the other standardized alternativebasic authenticationwhich sends user names and passwords in plain text over the wire. Microsoft customers do have another option, the Microsoft-proprietary integrated Windows authentication, which provides wire-level security similar to digest authentication. However, this works only with Microsoft Web browsers and Web servers. It cannot be used if Web clients send requests through a proxy server, which digest authentication can handle. For developers who want to build truly interoperable secure Web applications, the only available option is to encrypt all data between a Web client and server using SSL (Secure Sockets Layer) and to fall back to basic authentication. This is a secure option, but digest authentication is a valuable middle ground between almost no security (what unencrypted basic authentication provides) and complete SSL encryption, with its considerable CPU overhead, more complex configuration, and associated recurring administrative costs of getting and maintaining a valid SSL certificate. In fact, our desire at the Labs for just such a middle ground was how we discovered this problemone that has not been reported before, according to Scott Lawrence, one of RFC 2617s co-authors and maintainer of the specifications official errata list. eWEEK Labs West Coast Technical Director Timothy Dyck can be reached at firstname.lastname@example.org. Related stories:
Microsoft Patch Repairs 6 IE Flaws
Security Flaws Found in IE 6.0
Apache Avoids Most Security Woes
IE 6.0: Big in Name Only
IIS: Stay or Switch?
Fed Up With IIS
In eWEEK Labs opinion, the Microsoft implementation is not a security hole, but security needs to be more than just patching leaksits also about ensuring that critical IT infrastructure products can interoperate securely.