[4543] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (Aaron Abelard)
Thu Feb 20 19:58:57 1997
Date: Thu, 20 Feb 1997 17:02:20 -0500 (EST)
From: Aaron Abelard <aarona@iquest.net>
To: Douglas Song <dugsong@umich.edu>
cc: www-security@ns2.rutgers.edu, www-security@umich.edu
In-Reply-To: <Pine.SOL.3.95.970220160547.25449E-100000@lukyduk.ifs.umich.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 20 Feb 1997, Douglas Song wrote:
> On Thu, 20 Feb 1997, Aaron Abelard wrote:
>
> > Here's something very on topic for www-security. According to the HTTP/1.0
> > specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the
> > username and password used in Basic Authentication is sent as clear
> > text. Does this not allow for the possibility of the information being
> > snooped? Also, are there any authentication schemes in use other than
> > Basic?
>
> There aren't any currently, and Netscape at least ALWAYS interprets the
> 'WWW-Authenticate' header as having a value of 'Basic' (so you get
> prompted for a username and password) even if something else is specified!
> This has to change if they want to support the new HTTP 1.1 digest
> authentication scheme (RFC 2069), and any future authentication methods
> (such as Kerberos, which we're looking at implementing now as an extension
> of the digest auth scheme).
>
> Browsers should should just give up and display the HTML following the 401
> (Unauthenticated) status if they don't support the auth type specified in
> a 'WWW-Authenticate' field. Defaulting to 'Basic' is just a really BAD
> idea (check out section 15.2 of the HTTP 1.1 specification for reasons why
> - http://andrew2.andrew.cmu.edu/rfc/rfc2068.html)...
>
I agree. Since this is very on-topic for this list, I'd be curious if
anyone watching this list is also in the development team for Apache and
knows if Apache will be supporting RFC 2069?
--
Aaron Abelard / aarona@iquest.net
IQuest Internet / www.iquest.net
Indianapolis, IN / 317.259.5050.301
