W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

From: Ben Laurie <benl@google.com>
Date: Sun, 9 Jan 2011 19:21:34 +0000
Message-ID: <AANLkTi=0m=cK_qMC5GNwu3WbaZZy2_5948p6JXaNU3H8@mail.gmail.com>
To: "Zed A. Shaw" <zedshaw@zedshaw.com>, Ben Laurie <benl@google.com>, Blaine Cook <romeda@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 9 January 2011 18:32, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> On Sun, Jan 09, 2011 at 01:44:12PM +0000, Ben Laurie wrote:
>> > for the record, I don't think that OAuth itself is a suitable
>> > replacement for HTTP authorisation, but wanted to stir the pot,
>> > especially away from overwrought technical solutions that don't
>> > actually solve anyone's needs.
>>
>> Towards ones that are ripe for phishing and have no privacy
>> protections? I don't believe that's a good direction.
>
> Ripe for phishing?  I must have missed a whole conversation in all this
> cross posting, because last I checked none of the proposed solutions
> prevent phishing.
>
> If you can phish one site you can phish another.  It's not the sites or
> the protocol that causes phishing, or whether you've got a billion
> redirects or diffie-helman to the hilt.  OpenID or Oauth or
> plain-old-form-auth don't prevent or cause phishing.
>
> What causes phishing is users have no idea that two websites are
> different.

Whilst I do not disagree with this claim, you are wrong. There are
protocols which effectively prevent phishing - so long as password
entry is done in an unspoofable UI.

I am sure that you will respond that UI can be spoofed as easily as a
website can be, and I'm almost ready to agree with that, given that we
still don't have a good answer to that, however, my one small ray of
hope in this regard is that there's only one UI we need to make
unspoofable as opposed to a million websites. And, what's more, we
don't really need to invoke it every time a user logs in to a website
- really what we want is for the user to authenticate to their device
and have the device handle the rest.

OpenID and OAuth are particularly nasty, even by today's standards,
because they provide a trivial route for the phisher to do a perfect
MitM attack on the IdP.
Received on Sunday, 9 January 2011 19:22:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT