Digest authentication broken in IE & IIS
Great. Just frelling great. IE‘s digest authentication mechanism is incompatible with Apache’s. By the same token, IIS’s is incompatible with any browser but IE. I am not normally one for Microsoft conspiracy theories, but considering Microsoft’s lukewarm response (“the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly”), I have to wonder whether this is a mistake or a strategy. I’m sorry, but passing passwords in the clear does indeed “put customer data at risk”!!
A while back I spent an evening digging through the Apache source code to figure out how they implement digest authentication. I’ve read the RFC. It is not so hard that it should confound the crack programmers at Microsoft.
Since Mozilla finally supports digest authentication (since 0.9.7, which you may recall surprised me since I had assumed Mozilla already did support something this basic), I was all set to start using it as a matter of course. I already do use it in certain circumstances, with Apache and Mozilla. But now…what? How many more years do we have to wait before we can expect even this rudimentary security?
25 Mar 2002 Sam