Bug 1364463

Summary: CVE-2005-2395: Firefox uses Basic auth when it shouldn't
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: firefoxAssignee: Jan Horak <jhorak>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: gecko-bugs-nobody, jhorak, pjasicek, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-19 09:51:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 887259    

Description David Woodhouse 2016-08-05 12:03:56 UTC 
Firefox uses the first auth method offered by the server in its headers, while RFC2617 says that it MUST use the strongest one.

This is causing users to see password prompts, and potentally send passwords over the wire in plain-text, when they should be using GSSAPI or NTLM authentication which would work with single-sign-on.
Comment 1 Jan Horak 2016-08-19 09:51:32 UTC 
Thanks for letting us know. We're going to track it on upstream. Fixing this is beyond simple change in source code, so it will have to go through Mozilla review process anyway.

I've added myself to the CC list on mozbz.