2024-06-19 23:54 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002461NetSurfDevelopmentpublic2016-08-14 14:03
Assigned To 
Product Version3.5 
Target VersionFixed in Version 
Summary0002461: http Digest authentication not implemented (RFC 7616)
DescriptionWhen a web is opened that requires authentication using the http Digest authentication scheme as specified in RFC 7616 (https://tools.ietf.org/html/rfc7616), the user is asked to input her credentials. When the user has typed in user name and password and clicks on the "Login" button, wireshark registers two GET requests which both lack the Authorization header field and the user is asked again to input her credentials.

I would expect netsurf to not ask the user for credentials and to display the 401 page instead, unless the server provides an authentication scheme and parameters that are supported by the browser. Otherwise the user will likely conclude that she has forgotten her password or wrongly typed in her credentials. Because of that the user might try to login again and again, but in fact there is no chance that the login will ever succeed because the authentication scheme is not supported by the browser.

Also most web servers support http digest authentication (most seem to implement at the time of writing only the obsolete digest authentication specified in RFC 2617), so it would be great to have support for digest authentication in netsurf. I suggest to not implement RFC 2617 in favor of RFC 7616: RFC 7616 remains fully compatible to obsolete RFC 2617 digest implementations, but allows the use of much more secure hash functions if the server also supports them.
Steps To ReproduceOpen a website the requires authentication and only supports the http digest authentication scheme
Additional InformationHere is one request-response pair as recorded from wireshark. For each user input two requests and two responses are generated

| Request: Netsurf --> Server |
GET /secret.html HTTP/1.1\r\n
User-Agent: NetSurf/3.5 (Linux)\r\n
Accept: */*\r\n
Accept-Encoding: gzip\r\n
| Response: Netsurf <-- Server |
HTTP/1.1 401 Unauthorized\r\n
WWW-Authenticate: Digest realm="users@test.org", qop="auth", algorithm=SHA-256, nonce="a489712bb9f0413cf90fb8d95ad1b1025ce62c384d2cfc30e784567a41949ada", charset=UTF-8, userhash=true\r\n
WWW-Authenticate: Digest realm="users@test.org", qop="auth", algorithm=MD5, nonce="a489712bb9f0413cf90fb8d95ad1b1025ce62c384d2cfc30e784567a41949ada", charset=UTF-8, userhash=true\r\n
Content-Type: text/html\r\n
Content-Length: 92\r\n
<html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>\n
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #
URL of problem page
Attached Files




maribu (reporter)

In the title of this bug I incorrectly referred to RFC 7252 (CoAP), but correct is RFC 7616 (Digest Auth). If someone has the permission to change bug report titles, I would be happy if that could be fixed :-) Thanks!

-Issue History
Date Modified Username Field Change
2016-08-12 17:18 maribu New Issue
2016-08-12 18:50 maribu Note Added: 0001385
2016-08-14 14:03 Vincent Sanders Status new => acknowledged
2016-08-14 14:03 Vincent Sanders Summary http Digest authentication not implemented (RFC 7252) => http Digest authentication not implemented (RFC 7616)
+Issue History