W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [websec] [kitten] [saag] HTTP authentication: the next generation

From: Tim <tim-projects@sentinelchicken.org>
Date: Thu, 6 Jan 2011 08:25:59 -0800
To: Ben Laurie <benl@google.com>
Cc: Robert Sayre <sayrer@gmail.com>, "Roy T\. Fielding" <fielding@gbiv.com>, "apps-discuss\@ietf\.org" <apps-discuss@ietf.org>, websec <websec@ietf.org>, "kitten\@ietf\.org" <kitten@ietf.org>, "http-auth\@ietf\.org" <http-auth@ietf.org>, "saag\@ietf\.org" <saag@ietf.org>, "ietf-http-wg\@w3\.org Group" <ietf-http-wg@w3.org>
Message-ID: <20110106162559.GQ6792@sentinelchicken.org>

> 1. The IETF has fixed the problem, but no-one is using the fix - perhaps
> because it is not clear that it is the fix. I speak of RFC 4279, TLS
> pre-shared keys. These could be derived from a hash of the password and the
> site name, for example, and thus provide secure mutual authentication
> despite password reuse.
> 
> 2. I have often heard (though I am not aware of hard evidence for this,
> nevertheless I find it plausible) that one reason no-one has bothered to
> improve HTTP auth is because no-one would use it since site owners want to
> control the user experience around signin. It seems to me, therefore, that
> HTTP is the wrong layer to fix the problem at - it needs to be pushed down
> into HTML or Javascript so that the page can control the look, while
> appropriate HTML elements or JS code can deal with the secure exchange of
> data.

Yes, the user experience piece is definitely the biggest adoption
problem for HTTP auth, IMO.  However, I disagree that HTTP is the
wrong layer.  It has already been shown (by myself and others) that
using HTTP authentication and controlling the user experience can
largely be achieved already.  A few tweaks to browser 401 response
behavior (which doesn't require standards changes) and the ability for
servers to force a log out are all that's left to provide to make
this reliable.

As for RFC 4279, I'm not really familiar with it, but I imagine the
mechansims which allow for user experience customization right now
with HTTP auth could easily be extended to any TLS authentication
mechansim.  The only requirement there would be to add some simple
language allowing for this behavior in [1].  That is, allow
XMLHttpRequest objects to hand the credentials they already accept off
to the TLS layer, either for RFC 4279 or for SRP/TLS.  


> Of course, this still leaves the issue of trusted path: although we can
> provide elements which are safe to use, even when being phished, how does
> the user know those elements are actually being used, rather than simulated
> so as to get hold of the underlying password?
> 
> The answer to this problem is hard, since it brings us back to taking the UI
> out of the sites hands.

Yes, so what I've outlined above and elsewhere is a relatively simple
transition path to allow adoption of better authentication standards
with customizable user interfaces.  But those are problematic by
design.  However, I'd assert that moving web applications off of
cookies to some lower-layer mechanism is going to be a required first
step in order to provide authentication prompts that are part of the
browser, for those who need that security.

tim



1. http://www.w3.org/TR/XMLHttpRequest/
Received on Thursday, 6 January 2011 16:26:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT