Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE, Apache Clash on Web Standard

Posted by krow on from the are-the-malicious,-or-just-idiots dept.

sbsea1 writes "Here is another instance where Microsoft is going one way and everybody else going to other. eWEEK Labs found that Microsoft is using a different implentation of digest authentication which differs from the W3C's digest authentication standards. Internet Explorer Version 5.0 and higher--as well as Microsoft's IIS Web server--has a significant security incompatibility with other major Web browsers and with the Apache Software Foundation's Apache HTTP Web server."

3 of 51 comments (clear)

  1. Re:People, please read the article by aminorex · · Score: 3, Interesting

    This is a bizarre interpretation. MS introduces
    an incompatible extension to a standardized
    protocol (as usual) and then when someone doesn't
    implement that proprietary extension, you fault
    them for it? I think you are using the word
    "fault" in some new monkeyboy sense.

    As is so very typical of Microsoft's "innovation",
    it is the pitiable consumers of MS software who
    suffer, and nobody gains except MS. Because of the
    prevalence of IE on corp desktops (declining, yes,
    but still a substantial prevalence), they can
    use this as an opportunity to push IIS, which
    implements the proprietary version of digest
    authentication compatibly with IE.

    --
    -I like my women like I like my tea: green-
  2. Re:Clash on web standard? by Jon+Peterson · · Score: 3, Interesting

    Hey, that works both ways!!

    Obviously the Apache Group did not do compatibility testing with the most popular browser on the net, either. Both sides (or, IMHO, none) are at fault on this.

    The fact is, this is a new standard that practically no-one is using in anger at the moment. Look at all the other incompatible implementations there have been of new RFCs. It happens all the time, not just with MS.

    This is a complete non-issue. "Today, a very early adopter of a new technology notified two software companies that they'd chosen incompatible interpretations of spec. The two companies agreed to make their implementation compatible in future."

    Yeah, big story.

    --
    ----- .sig: file not found
  3. Re:Digest vs HTTPS by Zeinfeld · · Score: 3, Interesting
    One of the main design issues for DIGEST was to eliminate BASIC from the spec entirely. There is no place for a spec that sends passwords en-clair.

    The problem is that most people, myself included share passwords across uses. I have something like 200 active authentication points, there is simply no way that I could remember 200 separate passwords if I tried. I have three passwords that I use for high medium and low security. But most people happily share their corposrate password with their WareZ site password.

    Although passwords inevitably involve a certain degree of information sharing, DIGEST is dfesigned to ensure that this is minimized. If you give a password to a site and the site is compromised the information stored in their database does not compromise any other site.

    The main problem with mechanisms such as SRP is that they are all aledgedly encumbered. The patents are also fairly new.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/