Re: Security Requirements for HTTP, draft -00 from Paul Hoffman on 2008-01-28 (ietf-http-wg@w3.org from January to March 2008)

From: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Mon, 28 Jan 2008 08:47:46 -0800
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: ietf-http-wg@w3.org
Message-Id: <p06240805c3c3b48a9950@[10.20.30.150]>

At 2:52 PM +0100 1/28/08, Stephane Bortzmeyer wrote:
>2.1 says "Almost all HTTP authentication is accomplished through HTML
>forms, with session keys stored in cookies." This is clearly false. It
>is true only if you say "Web authentication for an human sitting
>behind a Web browser". But for HTTP, the protocol, which can be used
>by other things than Web graphical browsers, it is not my experience,
>I use RFC 2617 Basic Authentication or TLS with certificates a
>lot. (2.4 mentions these other uses, such as Web services.)

I disagree that the statement is "clearly false". I strongly suspect 
that if you add up all the authentications done on every HTTP server 
in the world today, forms+cookies+people would win over 
((nonforms+people) + (nonforms+nonpeople)). The first word in the 
sentence really does apply.

>2.1 says "Many users do not understand the construction of URIs
>[RFC3986], or their presentation in common clients [[ CITATION NEEDED
>]]." A good bibliography (thanks to Mike Beltzner @ Mozilla) is:
>
>"Decision Strategies and Susceptibility to Phishing", Downs, Holbrook
>& Cranor
>    http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf
>
>"Why Phishing Works", Dhamija, Tygar & Hearst
>    http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
>
>"Do Security Toolbars Actually Prevent Phishing Attacks", Wu, Miller
>& Garfinkel
>    http://www.simson.net/ref/2006/CHI-security-toolbar-final.pdf
>
>"Phishing Tips and Techniques", Gutmann
>    http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf

Thanks. Of these, I tend to lean towards Gutmann's article because it 
is the most forceful. Do others on the list have a preference?

>2.2.1 says "Since Basic credentials are clear text, they are reusable
>by any party." It seems to me that this has nothing to with being in
>clear text or not. Basic credentials are dangerous because they are
>static, not because they are clear text (for which TLS is a
>solution).

The sentence is about reusability, not general danger. The 
reusability comes directly from the attacker being able to see the 
Basic credential go by.

>2.4 says "These protocols usually don't have much in common with the
>Architecture of the World Wide Web. It's not clear why term "Web" is
>used to group them," I agree that "Web" is not a good term but it does
>not mean they are off-topic for us, far from it, since we work on
>HTTP, not on "the Web". Also, some of these, like REST, have "a lot in
>common with the Architecture of the World Wide Web".

Section 2.4 is explicly about "Web Services", not REST and the like. 
Would it suffice to you if we gave a more specific definition of "Web 
Services"?

--Paul Hoffman, Director
--VPN Consortium

Received on Monday, 28 January 2008 16:48:11 UTC