IE, Apache Clash on Web Standard

eWEEK Labs has discovered that Microsoft Corp.'s Internet Explorer Version 5.0 and higher—as well as the company's IIS Web server—has a significant security incompatibility with other major Web browsers and with the Apache Software Foundation's Apache HTTP Web server.

The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.

The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldn't be used as a client for any Internet Information Services-based Web application that uses digest authentication. (We tested this with Mozilla.org's Mozilla 0.9.9, Opera Software ASA's Opera 6.01 and the W3C's reference browser implementation Amaya; Netscape Communications Corp.'s Navigator doesn't currently support digest authentication. Static Web pages are not affected by the problem.)

Digest authentication hasn't had a big impact so far because it is a relatively new technology: IE 5.0 and IIS 5.0 (part of Windows 2000) were the first Microsoft products to support it. Mozilla, the foundation of the Navigator browser (and possibly the Web browser used in America Online Inc.'s next client upgrade) gained digest authentication only in late December.

After eWEEK Labs alerted Microsoft to the discovery, a Microsoft spokesman stated that the company has identified the issue and will work on a fix. However, the representative also told eWEEK Labs that "the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly."

Paul Leach, Microsoft's representative to the W3C's digest authentication standards committee and one of the specification's authors, attributed the problem to how the definition of one part of the digest authentication header conflicted with other statements in the standard about how the header needed to be built. Microsoft went one way; everyone else went the other way.

A bug in IE?

"It definitely looks like a bug in MS IE," said Apache Software Foundation Chairman Roy Fielding, in Newport Beach, Calif. "We will not change our implementation in order to accommodate this bug, since it could be considered a weakening of that digest authentication feature."

In eWEEK Labs' opinion, the Microsoft implementation is not a security hole, but security needs to be more than just patching leaks—it's also about ensuring that critical IT infrastructure products can interoperate securely.

Digest authentication will be especially important as Web services proliferate. It is far more secure than the other standardized alternative—basic authentication—which sends user names and passwords in plain text over the wire.

Microsoft customers do have another option, the Microsoft-proprietary integrated Windows authentication, which provides wire-level security similar to digest authentication. However, this works only with Microsoft Web browsers and Web servers. It cannot be used if Web clients send requests through a proxy server, which digest authentication can handle.

For developers who want to build truly interoperable secure Web applications, the only available option is to encrypt all data between a Web client and server using SSL (Secure Sockets Layer) and to fall back to basic authentication.

This is a secure option, but digest authentication is a valuable middle ground between almost no security (what unencrypted basic authentication provides) and complete SSL encryption, with its considerable CPU overhead, more complex configuration, and associated recurring administrative costs of getting and maintaining a valid SSL certificate.

In fact, our desire at the Labs for just such a middle ground was how we discovered this problem—one that has not been reported before, according to Scott Lawrence, one of RFC 2617's co-authors and maintainer of the specification's official errata list.

eWEEK Labs West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ziffdavis.com.

Related stories: Microsoft Patch Repairs 6 IE Flaws Security Flaws Found in IE 6.0 Apache Avoids Most Security Woes IE 6.0: Big in Name Only IIS: Stay or Switch? Fed Up With IIS