W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #177: Realm required on challenges

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 25 Jul 2011 15:30:35 +1200
Message-ID: <4E2CE35B.2010703@qbik.com>
To: Amos Jeffries <squid3@treenet.co.nz>
CC: ietf-http-wg@w3.org

On 25/07/2011 3:00 p.m., Amos Jeffries wrote:
> On 25/07/11 13:39, Adrien de Croy wrote:
> AIUI, WWW-Auth and Proxy-Auth are defined explicitly with distinct 
> end-to-end and hop-by-hop requirements to prevent exactly that 
> leakage. There is no leak problem unless the implementation is 
> non-compliant or misconfigured.
> There is the edge case we hit occasionally. Where two chained proxies 
> require unique Proxy-Auth credentials from the client. Admin obsession 
> with end-to-end single-signon appears to be avoiding this problem for 
> now on most networks. But these per-user chaining configurations are 
> still being asked about in our user base occasionally. It is 
> reasonable to assume they are being implemented ... somehow.

How does a proxy state (using Realm)

"use those creds for any site you access through me"

if the base URL must be combined with the realm.  Unless you can say 
realm ="../../*" or something.

The problem is

a) the proxy MUST provide a realm
b) the realm must be combined with the base URI

Yet another reason why intercepting connections is a bad idea.
> What has that got to do with this topic? any halfway sane interceptor 
> won't touch auth at all. The insane ones break things regardless of 
> what gets specified.

Therefore there are a lot of insane network admins out there who insist 
on the ability to

a) intercept connections (so they don't need to configure a proxy in the 
client); AND
b) authenticate those connections at the intercepting proxy

sure it sucks, but when you turn on automatic logon in IE, it actually 
kinda works.  Sure it's less work to just configure the browser to use 
the proxy and you get a better experience.

Problem is there are a bunch of proxy vendors (ourselves included) who 
support intercepted connections, because that's what users think they 
want.  We no longer recommend it, but others do, and on the face of it, 
the benefits seem worth-while, and therefore often form part of a 
purchasing decision.


Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 beta out now - http://www.wingate.com/getlatest/
Received on Monday, 25 July 2011 03:31:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC