On Mon, 9 Jun 2003 04:07:02 +0200, André Malo wrote > Just my opinion: I don't like it very much, since it decreases > security and violates the RFC very hard. The Client should be fixed, > not the server. ....but I won't stand in the way if there are > positive votes on it.
The security is only lessoned when: 1) The Initial URI compare fails (so if IE fixes this in the future, it wouldn't even hit this code) 2) a BrowserMatch is made (in my patch) The Changes allow a URI to match even if the Query string does not. It still checks all other elements of the URI. This is a *very* small price to pay when you condier the only other option is to use Basic Authentication.(clear text passwords... etc.) Microsoft seems to have little motivation to fix their implmentation, but in the meantime digest authentication is rendered mostly useless. Yes, if you can control the client side it is a non-issue, but the fact of life is that the majority of the people on the internet do use Internet Explorer. I think putting somthing like this patch in is the better of two evils. It would allow a widerspread use of digest authentication over basic auth, but yes it would be slightly less secure than the full implmentation of digest for users of Microsoft's buggy IE. However I think this change is very valuable for many sites that would like to use a more secure authentication system without trying todo everything over HTTPS. Seriously. How much difference will a slightly mismatched URI matter when you consider how a digest auth is done? I think the security implications are well worth the cost to even allow IE clients to use digest authentication. Otherwise Digest will never see widespread use. ever. -chip
