page 1 of 1
Comments: 21 | Views: 13651
#Mar 16th, 2006 @ 4:45 PM
Maurits
Maurits
AKA Matthew van Eerde
The IE blog had a very interesting post yesterday about security tweaks.

If a website requests Basic HTTP authentication over a non-SSL connection, text is added to the Username/Password box to the effect that "this username and password will be transmitted insecurely."

Which is all very well and good.  Except that IE doesn't1 support Digest HTTP Authentication, which was designed to cover this shortfall in Basic Authentication.

... unless it's connecting to an IIS server.  Then Digest HTTP Authentication works just fine.

So we have the following situation:

IE6 <-Basic-> IIS: works fine
IE6 <-Digest-> IIS: works fine
IE6 <-NTLM-> IIS: works fine
IE6 <-Basic-> Apache: works fine
IE6 <-Digest-> Apache: DOES NOT WORK2 works fine (Apache accepts IE6's incorrect headers)
IE6 <-NTLM-> Apache: works fine
Firefox <-Basic-> IIS: works fine
Firefox <-Digest-> IIS: DOES NOT WORK (IIS does not accept Firefox's correct headers)
Firefox <-NTLM-> IIS: works fine
... and now...
IE7 <-Basic-> IIS: UGLY WARNING
IE7 <-Digest-> IIS: works fine
IE7 <-NTLM-> IIS: works fine
IE7 <-Basic-> Apache: UGLY WARNING
IE7 <-Digest-> Apache: DOES NOT WORK works fine
IE7 <-NTLM-> Apache: works fine

So as I read this, if you want to use IIS, you're stuck with either:
* Sticking your IE7 consumers with a big ugly warning
* Shutting out your Firefox consumers
* Using NTLM

I'm in favor of adding the warning.  I agree that plaintext not-over-SSL is a bad way to transport passwords.

But... and this is my point... I think Digest Authentication should be fixed FIRST3.  Otherwise this is just a way to push NTLM, no?

Thoughts?

1Microsoft claims it does.  But see my comments on the blog post. (I believed them at first, and mistakenly thought what I was seeing was a Firefox bug.  But then I read the RFC.)
2See http://www.eweek.com/article2/0%2C1895%2C1500432%2C00.asp
3Note that fixing IE7's Digest Authentication will probably entail fixing IIS's Digest Authentication first.

So the critical path is:
1) Fix IIS Digest Authentication (release patches for downlevel IIS servers...)
2) Fix IE Digest Authentication (release patches for downlevel IE clients...)
3) Add the Basic Authentication warning.

EDIT: According to David Wang this bug is fixed in IIS 6.
#Mar 16th, 2006 @ 6:00 PM
Maurits
Maurits
AKA Matthew van Eerde
To clarify how this could be fixed...

By "Fix IIS Authentication" I mean

* Begin accepting Authorization: Digest ... qop=auth ... headers (to comply with the standard)
* Continue accepting Authorization: Digest ... qop="auth" ... headers (to humor the broken IE clients out there... at least for a while)

By "Fix IE Authentication" I mean

* Begin sending Authorization: Digest ... qop=auth ... headers by default (to comply with the standard)
* IF qop=auth fails AND the server advertises itself as IIS (via the Server header) retry with qop="auth" (to humor the broken IIS servers out there... at least for a while)
#Mar 16th, 2006 @ 7:33 PM
Jorgie
Jorgie
Jorgie

+10 points for finding and documenting a bug that should confirmed by MS and fixed.

-50 points for using an overly sensational subject guaranteed to leave a bad taste in the mouth of anyone on the IE or IIS team.

If you actually want it fixed you need to leave out the BS. But then again based on the subject you don't want it fixed, you want to troll.

Jorgie

#Mar 16th, 2006 @ 11:05 PM
Maurits
Maurits
AKA Matthew van Eerde
Pish-tosh.  This bug is far too obvious to have lasted this long.  All anyone had to do to discover it was try to connect to a Digest-protected resource on IIS in Mozilla or Firefox.  What were the IIS testers doing?  Or was it reported, and did management say "why should we fix a bug that works to our advantage?"
#Mar 16th, 2006 @ 11:57 PM
W3bbo
W3bbo
The Master of Baiters
The problem with NTLM is that you kick-out all your non-Firefox/non-IE users (I think other Gecko browsers support it, but I know Opera doesn't)
#Mar 17th, 2006 @ 2:50 AM
StretchMan
StretchMan
On the rebound! / Sur le rebond!
Jorgie wrote:

...
If you actually want it fixed you need to leave out the BS. But then again based on the subject you don't want it fixed, you want to troll.

Jorgie



Was this so obvious ?  lmao
#Mar 17th, 2006 @ 3:26 AM
thepuffin
thepuffin
W3bbo: Opera 9 is your friend Wink
#Mar 17th, 2006 @ 9:33 AM
W3bbo
W3bbo
The Master of Baiters
thepuffin wrote:
W3bbo: Opera 9 is your friend Wink


Not really, I need NTLM and Firefox does the job fine for me Smiley
#Mar 17th, 2006 @ 11:09 AM
Maurits
Maurits
AKA Matthew van Eerde

There's a similar bug with the algorithm=MD5 parameter.  IE sends
     algorithm="MD5"
which is a minor violation of the RFC.

IIS accepts
     algorithm="MD5"
which is a perfectly valid extension of the RFC... but...

IIS REJECTS
     algorithm=MD5
which is a SEVERE BUG.  So long as this bug and the qop bug exist, IIS cannot claim to support Digest authentication (in my view.)

#Mar 17th, 2006 @ 1:32 PM
Maurits
Maurits
AKA Matthew van Eerde

All my testing thus far has been against IIS 5.  Can someone with an IIS 6 or IIS 7 server check whether the bug is still there?

Repro:

Set up an IIS website on a server that is part of a domain
Create a subdirectory /digest-test/ with a default document
In Internet Services Manager, right-click the subdirectory:

Properties | Directory Security | Anonymous access and authentication control | Edit

Uncheck:
Anonymous access
Basic authentication
Integrated Windows authentication

Check:
Digest authentication for Windows domain servers

In Active Directory, create a test user
On the "Account" tab, make sure "store password with reversible encryption" is checked
Change the password on the account

In Internet Explorer, go to http://the-site.example/digest-test/

Sign in with the username and password for that account

Verify that the page loads successfully

In Firefox, go to http://the-site.example/digest-test/

Sign in with the username and password for that account

Verify that the page loads successfully

Still in Firefox, click Refresh

If the page loads successfully, the bug is most likely fixed (check the headers if you can, to make sure)

If the page fails with a "The network request is not supported" error, the bug is most likely still there (check the headers if you can, to make sure)

#Mar 20th, 2006 @ 11:41 AM
Maurits
Maurits
AKA Matthew van Eerde

IIS 6/IIS 7 repro, please, anyone?

I've left a comment on David Wang's blog, the closest thing to an IIS blog I could find...

#Mar 22nd, 2006 @ 1:47 PM
Maurits
Maurits
AKA Matthew van Eerde
I opened a support case on this.  The support engineer confirmed that the problem exists in IIS 5. He recommended that I either
* upgrade to IIS 6
or
* mandate clients to use Internet Explorer when accessing Digest-protected resources

He gave me back my $99 and closed the case.

So, it seems Microsoft is not interested in issuing a hotfix or a patch for IIS 5.

Given
* IIS5's popularity (at least, as of the latest available survey)1
and
* IE7's upcoming warning message on Basic authentication
this seems to me to be irresponsible behavior on Microsoft's part.

EDIT:
1I did my own survey of the top 10 companies in the Fortune 500:

site

web server

OS

comment

walmart.com

IIS 6

Solaris 8

WTF

exxonmobil.com

IIS 5

Windows 2000

gm.com

Netscape Enterprise 4.1

Linux

ford.com

IIS 5

Linux

WTF

ge.com

Sun-ONE 6.1

Solaris 8

chevron.com

IIS 5

Windows 2000

conocophillips.com

IIS 5

Windows 2000

citigroup.com

?

Solaris 8

sly

aig.com

Netscape Enterprise (various)

Solaris 8

ibm.com

IBM_HTTP_Server

AIX

#Mar 22nd, 2006 @ 3:39 PM
DJZ
DJZ
DJZ
To those of you who think this post is a troll, I disagree.

Having spent a considerable amount of my working life away from MS tools (although a considerable amount with them also) I completely understand his point of view.

Every time I come back to MS land and find another incompatibility it annoys me.  MS don't care, or don't seem to care, they definitely give the impression that they like to keep it that way.

Lok at Apache, they put in configuration options to interoperate with MS bugs.  MS would NEVER do that for another provided, let alone bring their product into compliance.




#Mar 22nd, 2006 @ 4:00 PM
Maurits
Maurits
AKA Matthew van Eerde
Thanks, DJZ, that $20 is on its way to your PayPal account Wink
#Mar 23rd, 2006 @ 4:28 AM
AndyC
AndyC
I guess this is a tough call for MSFT. Those IIS5 machines are almost certainly running Windows 2000, which is out of mainstream support. It's not really a "critical" bug in the security sense, so it's not surprising that they don't issue a fix for that. Releasing a fix for XP's IIS install would be next to useless, as no major system is going to be using that.
#Mar 23rd, 2006 @ 11:35 AM
Maurits
Maurits
AKA Matthew van Eerde
I see your point.

IIS 5 is out of mainstream support, and it's not a security bug.
IIS 6 works.

IE 6 is still in mainstream support... but fixing the bug would break access to IIS 5 servers.  (Rightly so, perhaps, but try explaining that to the customer who can't access his email.)

IE 7 is going to make the situation worse by warning users about Basic authentication1, but c'est la vie.

I'm sad that Windows 2000 mainstream support ended so soon.  I like to skip versions (install version X, skip X + 1, install X + 2, etc.) and I wish that Windows 2000 mainstream support had been extended until Windows Longhorn Server was released.

1Which I am, otherwise, in favor of
#Apr 15th, 2006 @ 10:27 AM
Maurits
Maurits
AKA Matthew van Eerde
Update... the tech did give one other option when closing the support case that I didn't mention:

3) Write an ISAPI filter to preprocess incoming requests and add the quotes around "auth"

I've done this and it seems to work well - I can now access my Digest-protected IIS5-served resources in Firefox as well as IE!  I'll post the code to the Sandbox.

EDIT: Posted.
#Sep 9th @ 12:23 PM
Matthew van Eerde
Matthew van Eerde
AKA Maurits

I've seen some evidence to suggest that this may have regressed on IIS 7.  Can anyone with an IIS 7 server help to confirm?  I'm no longer in a position where I can easily experiment with a configured IIS machine.

#Sep 9th @ 1:47 PM
ZippyV
ZippyV
Fired Up

You work at Microsoft and you can't ask the IIS team?

#Sep 9th @ 2:48 PM
AndyC
AndyC

If you haven't got anyone to try it by tomorrow, I'll try and have a quick look. I don't have easy access to an IIS7 box in a domain I can fiddle with the reversible encryption setting right now. But I can probably stick one in our test domain to give it a quick try if needed.

#Sep 9th @ 5:17 PM
Matthew van Eerde
Matthew van Eerde
AKA Maurits

I am, of course, trying to find the right person on the IIS team to ping about this issue.  I'll be much more able to get their attention though if I can confirm the regression.

page 1 of 1
Comments: 21 | Views: 13651
Microsoft Communities