Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Adrien de Croy on 2012-02-29 (ietf-http-wg@w3.org from January to March 2012)

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 01 Mar 2012 11:57:00 +1300
To: Henrik Nordström <henrik@henriknordstrom.net>
CC: ietf-http-wg@w3.org
Message-ID: <4F4EAD3C.9050306@qbik.com>

On 1/03/2012 11:44 a.m., Henrik Nordström wrote:
> tor 2012-03-01 klockan 09:09 +1300 skrev Adrien de Croy:
>> There is one other thing I would add to auth:
>>
>> Ability for a challenger to identify itself, and for a response to
>> target a challenger.
> proxy-auth is currently defined hop-by-hop avoiding this mess. But
> unfortunately real-life networks is not always that simple.
>
> but security implications of multi-level proxy challenges is tricky to
> say the least. There is no guarantee the next request travels the same
> path.

that depends on proxy design.  If the challenges and responses are going 
over the same TCP connection it's pretty simple.

e.g. NTLM...  sorry, had to say it :)

the main area we see the problem is actually not in proxy auth, but when 
a proxy intercepts the connection, requires auth and then the website 
requires auth as well.

It's hard for the proxy to know whether an auth response should be 
processed by itself, or upstream.

> I would not dare to venture into specifying what such muti-level
> challenge/response process with varying path would look like or work or
> the security aspects of any such design.
>
>> Adding a parameter to the challenge and response which identifies the
>> challenger would allow for this.
> Yes, but opens up a big can of worms as expressed above.

I guess a proxy could keep a map of seen auth identifier tokens and 
re-use the same path back again (if possible).

But ok, see your point.

In most cases though where this happens, wouldn't the upstream proxies 
be within the same administrative domain?  e.g. so creds should work, 
and leakage shouldn't be a problem.

Adrien

>
>> In fact it would then allow proxy and server auth to use the same
>> mechanism and headers.
> Which is one very visible aspect of that big can of worms. You need a
> damn good framework defining what may be sent where, and the
> possibilities of both security leakage and breakage explodes.
>
> Regards
> Henrik
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 is released! - http://www.wingate.com/getlatest/

Received on Wednesday, 29 February 2012 22:57:38 UTC