W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Proxy-Authorization with empty credentials

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 05 Oct 2011 22:16:30 +1300
Message-ID: <4E8C206E.9060004@qbik.com>
To: HTTP Working Group <ietf-http-wg@w3.org>

Hi all, I'm hoping someone can help here.

I've been trawling RFC2616 and 2617 for clarity on an issue a customer 
is having.

They have an AV product that does updates using HTTP, and has 
configuration settings for a proxy, and settings to enable/disable proxy 
auth and supply credentials.

The problem is the software sends Proxy-Authorization in all requests, 
using Basic, and no user/pass - just a base64 encoded ':'

Since the credentials are empty, we fail authorization, even though 
policy didn't require authorization, the existence of the 
Proxy-Authorization header in the request triggered our auth code.

The reason we go straight into our auth code on the existence of this 
header, is because with Basic auth, the client will commonly re-use the 
credentials it previously successfully validated, and going straight to 
check the creds saves a 407 and round trip.

I'm struggling to find any language in 2616 and 2617 that states that a 
Proxy-Authorization with empty creds is invalid, although it seems like 
an incredibly bad idea.

The customer contacted the vendor of the offending software, and they 
said it's by design and not considered a bug.

Maybe we need to clarify this going forward?  I think a client shouldn't 
send P-A unless they wish to authenticate, and shouldn't send Basic 
creds without clear directive from the user (since it's a potential 
credential leak).

Adrien

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Wednesday, 5 October 2011 09:17:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:48 GMT