W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

RE: Require WWW clients to describe password/security

From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 10 Jun 1996 10:48:45 +0200 (MET DST)
Message-Id: <199606100848.KAA07295@durin.uio.no>
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Paul Leach <paulle@microsoft.com> writes:
>>From: 	Hallvard B Furuseth[SMTP:h.b.furuseth@usit.uio.no]
>>
>>If I set up a server with Digest Authentication, a Man in the Middle or
>>Counterfeit Server could simply remove it and ask the client for Basic
>>Authentication instead.  The user will type in his password, "knowing"
>>that it cannot be decrypted.
> 
> Clients that care will refuse to send Basic.

True.

> Browsers need to be configurable to allow them to say that -- but
> that's not a protocol issue.

Why not?  You could define a Secure Client Standard for what clients
(who follow that standard) must tell the user when they ask
interactively for passwords.  True, this would not be part of the
protocol.

The protocol issue would be a header which lets the client say "I follow
(version XXX of) the Secure Client Standard".  Or an alternative to the
WWW-Authenticate: header which only clients that follow (version XXX or
above of) the Secure Client Standard may obey, combined with a way for a
server to ask client "Do you follow the Secure Client Standard?".  The
latter so that a server can refrain from asking careless clients for
passwords.

Of course the client may be lying, or have some weird definition of
"interactive" or "telling the user" -- THAT is not protocol issue.  But
it does give me teeth when I complain about a client which disclosed a
user's password even though my WWW service only asks users with secure
clients for passwords.

> Browsers should also probably remember sites that used Digest
> Auth once, and insist on it later.

I think that protects against MITM but not a counterfeit server (which
may live on some other site).


> We should clarify the security considerations sections to be more
> explicit how to make sure that Digest is actually used, so that its
> protections against MITM and counterfeit servers can be enjoyed.

Good.


>>Sigh -- I didn't want to learn that much about WWW security; all I
>>wanted was to write a simple WWW service which authenticates the user
>>via his UNIX password...
> 
> Use Digest.

Can't.  I think I need SSL/SHTTP; a Digested password can't be decrypted
and checked against the Unix passwd file.  Anyway, I'll go to some
newsgroup with that one.


Regards,

Hallvard
Received on Monday, 10 June 1996 02:20:16 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:03 EDT