Project

General

Profile

Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256

Added by bupthebroker 9 months ago

Hi,

I am using lighttpd 1.4.54 with openssl. I have locked a page like this:

auth.require = ( "/test.html" =>
(
"method" => "digest",
"algorithm" => "SHA-256",
"realm" => "my-realm",
"require" => "valid-user"
),

Opera:
Everything works well, after i enter username and password and click on okay i get a new request from the browser where con->request.uri->ptr "/test.html".

Firefox:
Everything works well until the login popup. When i enter my username and password and click okay i get a request from browser where con->request.uri->ptr "/favicon.ico". Naturally login fails since test.html is not requested, 401 appears.

Chrome/Chromium:
No login popoup appears, it seems to continue automatically and con->request.uri->ptr == "/favicon.ico" again. test.html is not requested, 401 appears.

What causes some browsers to request the favicon.ico during login process? If i select MD5 instead of SHA-256 then the browsers do not request favicon.ico and everything works well. Any ideas how to resolve?

Thanks!


Replies (3)

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by bupthebroker 9 months ago

Okaaaaaaay,
i now read this thread:

https://bugzilla.mozilla.org/show_bug.cgi?id=472823

@"Guys... there is a very common use-case for home routers where they want to transfer authentication without tls.

Making them transfer it in MD5 because the privacy-aware and security-aware browser doesn't implement SHA-256 for this is insecure.

Chrome is also broken for this (ignores algorithm= and continues with md5) but if you think about your own home router... it's a missing piece of the security puzzle isn't it?"@

So it seems i'm fu*kered...

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by gstrauss 9 months ago

lighttpd can be configured to support both SHA-256 and MD5: "algorithm" => "SHA-256|MD5"

More intelligent browsers will then be able to use SHA-256, although this configuration is still open to downgrade attacks.

RE: Lighttpd 1.4.54 login fails with favicon.ico when using SHA-256 - Added by bupthebroker 9 months ago

The list of intelligent browsers seems to contain only Opera. It works well with Opera.

    (1-3/3)