Bug#228174: Galeon (Mozilla?) defaults to weakest authentication method

Andreas Metzler ametzler at downhill.at.eu.org
Mon Dec 25 09:42:33 UTC 2006

reassign 228174 iceape-browser
found 228174 1.0.6-1

On 2004-01-17 Juliusz Chroboczek <jch at pps.jussieu.fr> wrote:
> Package: galeon
> Version: 1.2.5-0.woody.1
> Severity: important

> (This is most like a bug of mozilla-browser 2:1.0.0-0.woody.1.  Please
> reassign it if so.)

> HTTP provides two standard authentication methods: Basic authen-
> tication, which sends passwords in clear over the net, and Digest,
> which is slightly stronger.

> RFC 2617 clearly recommends that Basic should be avoided.  It also
> recommends that in case a server supports both Basic and Digest
> authentication methods, Digest should be used (RFC 2617 4.6).

> This choice should not depend on the order in which the methods are
> offered; indeed, the note in RFC 2617 1.2 suggests that for backwards
> compatibility Basic should be offered first.

> Galeon supports both Basic and Digest.  However, if both Basic and
> Digest are offered, it will use the first one offered.

> In order to reproduce that, run the attached script and point Galeon
> at http://localhost:1234.  You will see that it will use Basic
> authentication.  Removing the first WWW-Authenticate line, or swapping
> their order will cause it to use Digest authentication.

Indeed this still seems to be the case with iceape 1.0.6. If this also
applies to current versions of galeon it probably should be cloned to
cu andreas
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

More information about the pkg-mozilla-maintainers mailing list