Netscape Navigator and HTTP access authentication implementation
Netscape Navigator takes a somewhat strange approach to HTTP access authentication. Say for example that you use IIS 4 as a web server, and configure it to allow only Windows NT Challenge/Response authentication. When Navigator connects to the server it receives (among other things) the header "WWW-Authenticate: NTLM", but no "WWW-Authenticate: Basic" header. In this case you would expect Navigator to pop up a message to the user with something like "Error: This browser doesn't support any authentication method supported by the server!". Instead, it pops up the "Username and Password Required" box. When the user fills it in and clicks OK, the username and password are sent in plaintext over the network to the server, which of course doesn't accept them. Even more strange I think, is that the HTTP/1.1 protocol doesn't say anything about how a browser is supposed to handle a situation like this. Even though it mentions that other authentication methods than Basic should be used for better security. Of course when a server sends one or more supported authentication methods it ought to mean "I support these only, don't send me any others!" Also, the message which comes when the authentication above fails is "Authentication failed. Retry?" - this doesn't even give a hint about what's wrong - and the user will probably try again and again, thinking that he/she typed the password wrong. Each time sending the password in plaintext over the network.