Date: Mon, 8 Dec 1997 13:29:54 -0800 (PST)
From: Alexei Kosut <akosut@leland.Stanford.EDU>
To: TLOSAP <new-httpd@apache.org>
Subject: Re: Communicator 4.04 little bug (fwd)
In-Reply-To: <Pine.BSF.3.95.971208100258.14133G-100000@alive.znep.com>
Message-ID: <Pine.GSO.3.96.971208132741.16985A-100000@saga12.Stanford.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Mon, 8 Dec 1997, Marc Slemko wrote:

> Sigh.

Yeah. Netscape has done this since as long as I can remember. When I wrote
mod_digest, I beleive I tested it with Navigator 1.0 and 1.1, and got this
behavior. I sent them a bug report at the time...

Cute, isn' it?

> ---------- Forwarded message ----------
> Date: Sun, 7 Dec 1997 18:34:30 +0000
> From: Kenobi <kenobi@PULHAS.ORG>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Communicator 4.04 little bug
> 
> hi!
> 
> i was testing some stuff with Digest Authentication and notice this little
> problem with Communicator 4.04 (Tested on Linux and NT). IE3.02 (the only
> available around here) does not experience this problem.
> 
> Apparently Communicator does not suport Digest Auth but it still accepts
> the challenge. After the user enter his username and password, Communicator
> sends it to the server but obfuscated with Basic.
> 
> Now, if you set up a site protected with Digest, you would expect the
> password not to travel plaintext (basic is plaintext) on the network, but
> that is what happens.
> 
> the correct procedure would be to fail right there when he receives the
> WWW-Authenticate: Digest header, like IE does.
> 
> --
> Kenobi, JAPH BOFH Not-Eng
> http://www.pulhas.org/~kenobi/
> kenobi@pulhas.org
>  -- I dunno, I dream in Perl, sometimes -- LWall
> 
> 

-- Alexei Kosut <akosut@stanford.edu> <http://www.stanford.edu/~akosut/>
   Stanford University, Class of 2001 * Apache <http://www.apache.org> *