According to securityfocus.com: Firefox is affected by a vulnerability that may result in sending authentication credentials across the network in plaintext format. By default, the browser chooses basic authentication even if other authentication schemas such as Digest or NTLM are available from the server. Mozilla Firefox 1.0.4 and 1.0.5 running on Windows are confirmed to be vulnerable. Other versions on different platforms may be affected as well. (It's not known to be fixed in 1.0.6) Reproducible: Always Steps to Reproduce:
This one is very lame too. "From RFC 2617: The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. Instead, Mozilla (tested with Firefox 1.0.4 and 1.0.5 for Windows) uses authentication schema in the order offered by server."
From https://bugzilla.mozilla.org/show_bug.cgi?id=281851 Mozilla follows the older RFC 2068 (HTTP 1.1 RFC) "An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a different scheme. The order of the challenges returned to the user agent is in the order that the server would prefer they be chosen. The server should order its challenges with the "most secure" authentication scheme first. A user agent should choose as the challenge to be made to the user the first one that the user agent understands." This was refused as a security bug by the Mozilla folks, and I can't blame them. Closing as RESOLVED/UPSTREAM, please reopen if you disagree.
