Apache Week
   
   Issue 139, 20th November 1998:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache Status

Apache Site: www.apache.org
Release: 1.3.3 (Released 9th October 1998) (local download sites)
Beta: None

Apache 1.3.3 is the current stable release. Users of Apache 1.2.6 and earlier should look at upgrading to this version. Read Guide to 1.3.3 for information about changes between 1.2 and 1.3.3.


Patches for bugs in Apache 1.3.3 will be made available in the apply_to_1.3.3 subdirectory of the patches directory on the Apache site. Some new features and other unofficial patches are available in the 1.3 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

Updated Digest Authentication

Access to resources on a server can be restricted by requiring users to supply a username and password. This is usually done using "basic authentication". However this results in the password being sent across the network unencrypted, so anyone intercepting the traffic could see both the username and password (unless the HTTP communication is itself encrypted, such as when SSL is in use).

To get around the lack of security with basic authentication, RFC2069 defines a new method of sending passwords: Digest Authentication. This encrypts the password such that someone looking at the traffic cannot get at the password. Note that neither basic nor digest authentication encrypt the contents of the server response, so someone viewing traffic could still get access at the protected document.

RFC2069 is now being revised, and the current draft of a replacement is available as HTTP Authentication: Basic and Digest Access Authentication. This draft documents both the basic and digest authentication mechanisms.


Comments or criticisms? Please email us at editors@apacheweek.com