Netscape Navigator takes a somewhat strange approach to HTTP access
authentication. Say for example that you use IIS 4 as a web server, and
configure it to allow only Windows NT Challenge/Response authentication.
When Navigator connects to the server it receives (among other things) the
header "WWW-Authenticate: NTLM", but *no* "WWW-Authenticate: Basic" header.
In this case you would expect Navigator to pop up a message to the user
with something like "Error: This browser doesn't support any authentication
method supported by the server!". Instead, it pops up the "Username and
Password Required" box. When the user fills it in and clicks OK, the
username and password are sent in plaintext over the network to the server,
which of course doesn't accept them. Even more strange I think, is that the
HTTP/1.1 protocol (as far as I can tell from reading it, but I could have
missed it) doesn't say anything about how a browser is supposed to handle a
situation like this. Even though it mentions that other authentication
methods than Basic should be used for better security. Of course when a
server sends one or more supported authentication methods it ought to mean
"I support these *only*, don't send me any others!", right? Also, the
message which comes when the authentication above fails is "Authentication
failed. Retry?" - this doesn't even give a hint about what's wrong - and
the user will probably try again and again, thinking that he/she typed the
password wrong. Each time sending the password in plaintext over the
network.
