COMMAND

    Netscape

SYSTEMS AFFECTED

    Those using Netscape

PROBLEM

    Arne  Vidstrom  found  following.   Netscape  Navigator  takes   a
    somewhat strange approach to HTTP access authentication.  Say  for
    example that you use  IIS 4 as a  web server, and configure  it to
    allow  only  Windows  NT  Challenge/Response authentication.  When
    Navigator connects to the server it receives (among other  things)
    the header "WWW-Authenticate:  NTLM", but *no*  "WWW-Authenticate:
    Basic" header.  In this case you would expect Navigator to pop  up
    a message  to the  user with  something like  "Error: This browser
    doesn't  support  any  authentication  method  supported  by   the
    server!".   Instead,  it  pops  up  the  "Username  and   Password
    Required" box.   When the  user fills  it in  and clicks  OK,  the
    username and password  are sent in  plaintext over the  network to
    the server, which of course doesn't accept them.

    Even  more  strange  is  that  the  HTTP/1.1  protocol doesn't say
    anything about  how a  browser is  supposed to  handle a situation
    like  this.   Even  though  it  mentions that other authentication
    methods than Basic should be used for better security.  Of  course
    when a server sends  one or more supported  authentication methods
    it  ought  to  mean  "I  support  these  *only*, don't send me any
    others!",  right?   Also,  the   message  which  comes  when   the
    authentication above  fails is  "Authentication failed.  Retry?" -
    this doesn't even give  a hint about what's  wrong - and the  user
    will probably try again and again, thinking that he/she typed  the
    password wrong.  Each time sending the password in plaintext  over
    the network.

    Malicious  web  sites  could  just   as  easily  send  a   "Basic"
    authentication header to users  to obtain a username/password  and
    then  attempt  to  use  it  against  the  machine  or network that
    originated the request.   The only circumstance  that can be  seen
    where this would be a security  issue is when the user is  told by
    a trusted party (network administrator) to visit web site "x"  and
    use their  "NT" (or  other normally  secure) credentials.   If the
    trusted party  forgets to  mention that  the user  needs to  use a
    specific  browser  that  understands  the authentication method in
    use, and the  user naively uses  a Netscape browser,  the normally
    secure credentials are transmitted in cleartext over the network.

    This was tested with Navigator 2.02, 3.04 and Communicator 4.5.

SOLUTION

    In  RFC  2617,  "HTTP  Authentication:  Basic  and  Digest  Access
    Authentication", the following behavior is defined:

    ..."The user agent MUST choose  to use one of the  challenges with
        the  strongest   auth-scheme  it   understands  and    request
        credentials from the user based upon that challenge."...

    This says that  the user agent  should not attempt  authentication
    unless it understands at least one of the supplied  authentication
    schemes.  As RFC 2616, "Hypertext Transfer Protocol --  HTTP/1.1",
    suggests:  The ...

        "entity  might  include  relevant  diagnostic  information"...
        Information that tells  the user which  browser is capable  of
        supporting the authentication scheme in use may be included in
        the body of the document."