Alice wishes to access Bob's server.
Mallot is in position to intercept all of Alice's requests.
Alice sends a cleartext request for a restricted file from Bob.
Mallot intercepts the request.
Mallot sends Alice a response containing information for
authenticating to Mallot's server.
Alice sends a request encrypted for Mallot's server.
Mallot decrypts the request..
Mallot sends valid mutual authenticator to Alice.
Mallot has successfully spoofed Bob's server.
Unless Alice knows how to authenticate to Bob prior to initiating
the transaction, Mallot will be able to subvert Alice's request. The
basic flaw is Alice relies on the "401 Unauthorized" response for
authentication information, e.g., public key, Kerberos principal, etc.
I think this attack would work against any authentication
protocol following the WWW Access Authorization protocol examples.