MantisBT - NetSurf
View Issue Details
0002461NetSurfDevelopmentpublic2016-08-12 16:182016-08-14 13:03
Reportermaribu 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version3.5 
Target VersionFixed in Version 
Fixed in CI build #
Reported in CI build #
URL of problem page
Summary0002461: http Digest authentication not implemented (RFC 7616)
DescriptionWhen a web is opened that requires authentication using the http Digest authentication scheme as specified in RFC 7616 (https://tools.ietf.org/html/rfc7616), the user is asked to input her credentials. When the user has typed in user name and password and clicks on the "Login" button, wireshark registers two GET requests which both lack the Authorization header field and the user is asked again to input her credentials.

I would expect netsurf to not ask the user for credentials and to display the 401 page instead, unless the server provides an authentication scheme and parameters that are supported by the browser. Otherwise the user will likely conclude that she has forgotten her password or wrongly typed in her credentials. Because of that the user might try to login again and again, but in fact there is no chance that the login will ever succeed because the authentication scheme is not supported by the browser.

Also most web servers support http digest authentication (most seem to implement at the time of writing only the obsolete digest authentication specified in RFC 2617), so it would be great to have support for digest authentication in netsurf. I suggest to not implement RFC 2617 in favor of RFC 7616: RFC 7616 remains fully compatible to obsolete RFC 2617 digest implementations, but allows the use of much more secure hash functions if the server also supports them.
Steps To ReproduceOpen a website the requires authentication and only supports the http digest authentication scheme
Additional InformationHere is one request-response pair as recorded from wireshark. For each user input two requests and two responses are generated

--------------------------------
| Request: Netsurf --> Server |
--------------------------------
GET /secret.html HTTP/1.1\r\n
Host: 127.0.0.1:12345\r\n
User-Agent: NetSurf/3.5 (Linux)\r\n
Accept: */*\r\n
Accept-Encoding: gzip\r\n
\r\n
--------------------------------
| Response: Netsurf <-- Server |
--------------------------------
HTTP/1.1 401 Unauthorized\r\n
WWW-Authenticate: Digest realm="users@test.org", qop="auth", algorithm=SHA-256, nonce="a489712bb9f0413cf90fb8d95ad1b1025ce62c384d2cfc30e784567a41949ada", charset=UTF-8, userhash=true\r\n
WWW-Authenticate: Digest realm="users@test.org", qop="auth", algorithm=MD5, nonce="a489712bb9f0413cf90fb8d95ad1b1025ce62c384d2cfc30e784567a41949ada", charset=UTF-8, userhash=true\r\n
Content-Type: text/html\r\n
Content-Length: 92\r\n
\r\n
<html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>\n
TagsNo tags attached.
Attached Files

Notes
(0001385)
maribu   
2016-08-12 17:50   
In the title of this bug I incorrectly referred to RFC 7252 (CoAP), but correct is RFC 7616 (Digest Auth). If someone has the permission to change bug report titles, I would be happy if that could be fixed :-) Thanks!

Issue History
2016-08-12 16:18maribuNew Issue
2016-08-12 17:50maribuNote Added: 0001385
2016-08-14 13:03Vincent SandersStatusnew => acknowledged
2016-08-14 13:03Vincent SandersSummaryhttp Digest authentication not implemented (RFC 7252) => http Digest authentication not implemented (RFC 7616)