Re: Logout from Erik Aronesty on 2001-01-03 (ietf-http-wg@w3.org from January to March 2001)

From: Erik Aronesty <erik@primedata.org>
Date: Wed, 3 Jan 2001 11:47:32 -0500
To: Tom McLaren <tom@mclaren.tc>
Cc: http-wg@cuckoo.hpl.hp.com
Message-ID: <1d0f01c075a4$e0c6b8a0$cd4751d1@primedata.org>
Dear Tom,

The site cannot easily know whether or not the request was coming from the
cache or the client... unless the cache tells it.

Thus the server always relys on a "third party" (the browser or the
cache)... to manage or respect authentication "state".

It's just an oversight that cookies are "expirable" (they have timeouts and
they can be forced by the server to expire) and usernames/passwords aren't.

In a way, "cookies" are "more secure" than the security mechanisms built
into http.

                - Erik

----- Original Message -----
From: "Tom McLaren" <tom@mclaren.tc>
To: "Erik Aronesty" <erik@primedata.org>
Cc: <http-wg@cuckoo.hpl.hp.com>
Sent: Wednesday, January 03, 2001 4:47 AM
Subject: RE: Logout


> I agree that a "logout" type button should certainly be implemented. I'm
> interested in your choice of words however, naming the non-provision of an
> HTTP server cache clearance request as a security hole. In my opinion it
is
> the responsibility of the site to provide some form of timeout security.
To
> provide an HTTP type clearance of the cache is exposing the agent to what
> amounts to control by a third party. Surely this would constitute a
greater
> threat to security and not be a road to wander down without serious
> consideration of the potential future implications?
>
> Tom
>
> > -----Original Message-----
> > From: Erik Aronesty [mailto:erik@primedata.org]
> > Sent: 02 January 2001 21:15
> > To: Erik Aronesty; Scott Lawrence
> > Cc: http-wg@cuckoo.hpl.hp.com; support@microsoft.com
> > Subject: Re: Logout
> >
> >
> >
> > Sorry I found it... there is a recommendation,
> >
> >     Microsoft and Netscape just blindly ignore it:
> >
> > Section 15.6 "Authentication Credentials and Idle Clients":
> >
> >  "In particular, user agents which cache credentials are
> >    encouraged to provide a readily accessible mechanism for discarding
> >    cached credentials under user control."
> >
> > Which neither do - even though it's a security hole.
> >
> >                 - Erik
> >
> > ----- Original Message -----
> > From: "Erik Aronesty" <erik@primedata.org>
> > To: "Scott Lawrence" <slawrence@virata.com>
> > Cc: <http-wg@cuckoo.hpl.hp.com>
> > Sent: Tuesday, January 02, 2001 4:12 PM
> > Subject: Re: Logout
> >
> >
> > > > > the passwords that are used to access HTTP servers?  IE: a
"logout"
> > > button
> > > > > for HTTP built-in authentication.
> > > > >
> > > > > I imagine that this is the sort of requirement that HTTP
> > people think
> > > that
> > > > > this should be in the HTML group - and vice-versa.
> > > > >
> > > > > However it is an embarrassing oversight in modern browsers.
> > > >
> > > > One that some of us have tried hard to overcome, to no avail.  The
> > > > basic problem is that the browser vendors have listened carefully to
> > > > what thier customers want, and have heard loud and clear that they
> > > > don't want to have to remember passwords.
> > >
> > > Over 600 users have asked us within the last year how to "log out" of
> > sites
> > > such as etrade and daytek which use HTTP based authentication.
> > >
> > > Browser customers don't want to remember passwords - however they want
> > > a "logout button" as well.  This is not a paradox and there is no
> > > inextricable reason why
> > > browsers can't cache usr information but have a button for "clearing
the
> > > cache"
> > >
> > > I think the real reason that this has not been done is because
> > both major
> > > browsers today have other agendas regarding network access and
security.
> > >
> > > Currently there is no way to clear the cache by having an HTTP server
> > > request
> > > it to be cleared - or by a user initiating the clearing of this
> > information.
> > > This
> > > is a basic security leak - and should be plugged.
> > >
> > > > Paul Leach of Microsoft and I attempted to provide a framework for a
> > > > solution to this and some related problems in a submission to the
> > > > W3C (User Agent Authentication Forms) in February of 1999:
> > > >
> > > >     http://www.w3.org/TR/1999/NOTE-authentform-19990203
> > >
> > >
> > > However, this is a "forms based" solution which undermines digest
> > > authentication
> > > and other more "standard" forms of authentication - that have
> > proved very
> > > helpful
> > > to developers of web applications.
> > >
> > > Simply, there should be one line added to section 4.13
> > >
> > >     ftp://ftp.isi.edu/in-notes/rfc2617.txt
> > >
> > > "It is reccomended that the authenticating agent provide a set
> > mechanisms
> > > for
> > > removing entries from the "password file" associated with a given
realm,
> > for
> > > the purposes of logging out of a system."
> > >
> > > And that's about all that's necessary.
> > >
> > > I don't think it needs a whole RFC ... just an addendum to
> > existing ones.
> > >
> > >             - Erik
> > >
> >
> >
> >
>
>
>
Received on Wednesday, 3 January 2001 08:49:48 UTC