IE, Apache Clash on Web Standard 51
sbsea1 writes "Here is another instance where Microsoft is going one way and everybody else going to other.
eWEEK Labs found that Microsoft is using a different implentation of digest authentication which differs from the W3C's digest authentication standards. Internet Explorer Version 5.0 and higher--as well as Microsoft's IIS Web server--has a significant security incompatibility with other major Web browsers and with the Apache Software Foundation's Apache HTTP Web server."
doesnt look that bad... (Score:5, Insightful)
Re:doesnt look that bad... (Score:2, Insightful)
Re:doesnt look that bad... (Score:2, Insightful)
Re:doesnt look that bad... (Score:1)
It nice to see that Microsoft and the Apache group are able to work out the little bug or mis-implementation. I'm not thrilled nor very happy with Microsoft, but they aren't always at fault.
Re:doesnt look that bad... (Score:1)
I believe most of microsofts "flukes" are looked at in the wrong light here.. the way i see it, their "innovation" as they call it, is just a way for them to make my job as a sysadmin (okay.. so i don't have a job right now. damned economy.) easier by integrating their products together in the best way possible - most of their products still have some backwards compatable functionality..
Re:doesnt look that bad... (Score:1)
A bug? I think not... (Score:2, Insightful)
This incompatibility has been in place for about 2 years in IE, and is also built-in to IIS. That is not an oversite. That is yet another example of a company trying to pick and choose which standards they can disregard with impunity.
Make no mistake, Microsoft aren't going to willingly "comply" with any technology or standard that facilitates fair competition.
Re:doesnt look that bad... (Score:2)
I am running Windows 3.1 beta on DR-DOS and I keep getting this "Non-fatal error" message. If Microsoft would only stop writing buggy software
Re:its beta! (Score:2)
No, I do not runn Windows 3.1 nor do I run DR DOS.
People, please read the article (Score:2, Informative)
We [microsoft] were told by the Apache group that it would support multiple digest protocols. The MS Digestion protocol just hasn't been implemented by Apache yet.
In other words, like the libXML problem we all remember from last year, this is Apache's fault.
Re:People, please read the article (Score:1)
Re:People, please read the article (Score:3, Interesting)
an incompatible extension to a standardized
protocol (as usual) and then when someone doesn't
implement that proprietary extension, you fault
them for it? I think you are using the word
"fault" in some new monkeyboy sense.
As is so very typical of Microsoft's "innovation",
it is the pitiable consumers of MS software who
suffer, and nobody gains except MS. Because of the
prevalence of IE on corp desktops (declining, yes,
but still a substantial prevalence), they can
use this as an opportunity to push IIS, which
implements the proprietary version of digest
authentication compatibly with IE.
Clash on web standard? (Score:1, Redundant)
- Steve
Re:Clash on web standard? (Score:1)
I'd say that it is a clash in that obviously Microsoft did not then do compatibility testing with any non-MS products it seems. Not to mention that for everybody else to have interpreted some other way implies to me that there was discussion about the issue. Strangely enough, that's one of the purposes of the working group mailing lists, to help implementors iron out deficiencies in the spec.
IIRC, the spec isn't supposed to become a true standard until there are two independent implementations. So, again, if MS had a question about an inconsistency in the spec, they should have been able to test against those implementations.
-Robert
Re:Clash on web standard? (Score:3, Interesting)
Obviously the Apache Group did not do compatibility testing with the most popular browser on the net, either. Both sides (or, IMHO, none) are at fault on this.
The fact is, this is a new standard that practically no-one is using in anger at the moment. Look at all the other incompatible implementations there have been of new RFCs. It happens all the time, not just with MS.
This is a complete non-issue. "Today, a very early adopter of a new technology notified two software companies that they'd chosen incompatible interpretations of spec. The two companies agreed to make their implementation compatible in future."
Yeah, big story.
Re:Clash on web standard? (Score:1, Insightful)
Differences in computing the message digest? (Score:2, Informative)
Does anyone have any real information about the actual differences between how Microsoft and Apache are computing the message digest? The article does not say much. I know the Microsoft and Netscape used to have some interop problems because one implemenation (Netscape's, I think) would include a string's NUL terminator when computing a message digest. This would obviusly lead to a different result.
It's not a clash it's a discussion ;) (Score:1)
Microsoft is not doing anything which other companies don't do. They are just too big to be ignored, that's the real problem.
But that's our own fault. Why do we buy and use MS products? Why do we program for Microsoft (directly or indirectly)? Could be we all have the same motive$ as M$ has? And are just envious, because if M$ coughs, everyone else has a cold?
No need to change a single line of code in Apache. Apache is the de-facto standard, not IIS.
Re:It's not a clash it's a discussion ;) (Score:1, Insightful)
Re:It's not a clash it's a discussion ;) (Score:3, Insightful)
Hence it breaks down to standard browser against standard server.
But there is no need to give up too early from Apache's side. The function is not in wide use yet and will not in the near future IMO. If a web apllication needs authenticication, it will probably also need encryption of the data somewhere down the menu-tree (if only to change the password). Allthough SSL has a higher price-tag (in dollars or cpu-cycles), it also has the advantage of being supported by practically all browsers.
Time for discussions - not for early give-ins.
Re:It's not a clash it's a discussion ;) (Score:1)
Demographics change. Quickly.
Hence, relying on IE as the de facto standard is pretty near-sighted.
inkly
M$ - Setting the standard, by force. (Score:1)
who cares about digest authentication anyway? (Score:4, Informative)
These days, for casual passwords like /. logins, HTTP basic authentication is still usually good enough. For passwords that need real security, use mod_ssl [modssl.org] instead, which is easily added to Apache 1.3 and comes with Apache 2.0 by default, and do basic auth over SSL so the whole HTTP stream is encrypted including the password. HTTP digest authentication's security is sort of halfway between HTTP basic auth and HTTPS basic auth. As a halfway measure, it's not really that useful any more.
Re:who cares about digest authentication anyway? (Score:5, Informative)
SSL did not exist when I invented the Digest mechanism. The problem was the patent on RSA and Diffie Helleman.
Digest was invented for one reason and one reason alone which was to provide a replacement for BASIC and avoid sending password in the clear.
Microsoft implemented Digest first, but Netscape refused. This was before they hired a credible security person. They believed that sending passwords over the internet en-clair was a less important security issue than protecting the authentication information in the Web server storage.
Microsoft removed Digest from IE in IE4 as Netscape refused to implement. Then the IETF stated that HTTP could not become a standard if it sent passwords en-clair at which point people pulled the draft out again.
Removing Digest from IE was not a big issue for me since if only Microsoft was going to implement the standard they might as well use the NT password authentication scheme.
The dictionary attack issue is important, but it was not possible to address it given the state of the IPR at the time. If Diffie Helleman had been available I would have designed the protocol entirely differently. It would have been possible to address security of the auth data on the wire and in storage.
For passwords that need real security, use mod_ssl [modssl.org] instead, which is easily added to Apache 1.3 and comes with Apache 2.0 by default, and do basic auth over SSL so the whole HTTP stream is encrypted including the password. HTTP digest authentication's security is sort of halfway between HTTP basic auth and HTTPS basic auth.
Actually I would recomend Digest over HTTPS. The problem with BASIC is that you have to trust the end point, that is fine if the application is such that the application justifies buying a certificate or securely distributing the point of trust.
More generally however I would suggest people look at our more recent work in SAML (security services at www.oasis-open.org)
Digest vs HTTPS (Score:2)
I don't understand "The problem with BASIC is you have to trust the end point", unless you mean you have to give them a password that you might also be using on other sites. Of course by even giving them the digest of the password, you let them mount an offline dictionary search. That means that the site also needs to keep the digest secret from attackers who might also want to do searches, so again you have to trust the site's security.
I agree with Netscape that unencrypted BASIC is good enough for a lot of purposes (how bad is it if someone intercepts your Slashdot password and changes your user preferences?). Applications that need more security (online banking) need enough design attention that buying a certificate ($125/year) isn't that big a deal. Low traffic sites can always use self-signed certificates which cost nothing (but pop a browser dialog when the user first connects). Really high security applications should use SSL client certificates instead of passwords. That avoids the need for any shared secrets. If you really want to use passwords over an unencrypted channel, it's best to use a protocol like SRP [stanford.edu], though like SSL, SRP would have been a problem before the DH patent expired.
Yes, if you look at the spectrum of all possible web applications, there's probably some examples where Digest is slightly preferable to the next best alternative, but with SSL easily available Digest just doesn't seem like a big deal any more.
Re:Digest vs HTTPS (Score:3, Interesting)
The problem is that most people, myself included share passwords across uses. I have something like 200 active authentication points, there is simply no way that I could remember 200 separate passwords if I tried. I have three passwords that I use for high medium and low security. But most people happily share their corposrate password with their WareZ site password.
Although passwords inevitably involve a certain degree of information sharing, DIGEST is dfesigned to ensure that this is minimized. If you give a password to a site and the site is compromised the information stored in their database does not compromise any other site.
The main problem with mechanisms such as SRP is that they are all aledgedly encumbered. The patents are also fairly new.
Re:Digest vs HTTPS (Score:2)
Re:Digest vs HTTPS (Score:2)
One of the bastards that owns one of the other patents sent a patent troll letter to the IETF.
It's really isn't feasible to get rid of BASIC once BASIC is in a lot of browsers.
It wasn't when I wrote the spec, a week after they did BASIC. What happened was that they told me they were using RSA, then they found the patent issues were going to be too much of a problem and they did BASIC without actually mentioning the change of plan to me.
The problem was that the people writing the code knew enough about security to be dangerous, but not enough to be useful. They had heard the UNIX encrypted password file argument and were applying to an inappropriate context. It was cargo cult security, slogans not thought.
Why not use htaccess? (Score:1)
I don't use Windows Authentication in my applications because it wont work in anything but IE. I guess the same can be said for digest.
huper