W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Thu, 01 Mar 2012 00:21:51 +0100
Message-ID: <1330557711.24673.133.camel@home.hno.se>
To: Adrien de Croy <adrien@qbik.com>
Cc: ietf-http-wg@w3.org
tor 2012-03-01 klockan 11:57 +1300 skrev Adrien de Croy:

> that depends on proxy design.  If the challenges and responses are going 
> over the same TCP connection it's pretty simple.

I won't go into this. HTTP is message oriented, not connection oriented.

> the main area we see the problem is actually not in proxy auth, but when 
> a proxy intercepts the connection, requires auth and then the website 
> requires auth as well.
> 
> It's hard for the proxy to know whether an auth response should be 
> processed by itself, or upstream.

Are you talking of transparent intercepting proxies doing NTLM here? If
you do then please stop, that's just happens to work because the
security model of NTLM is plain broken broken allowing it to be abused
in mitm attacks in completely insecure manners. end of discussion.
Please let NTLM die a painful death.

> In most cases though where this happens, wouldn't the upstream proxies 
> be within the same administrative domain?  e.g. so creds should work, 
> and leakage shouldn't be a problem.

Even that assumption only holds for basic auth. With anything else it
breaks.

Regards
Henrik
Received on Wednesday, 29 February 2012 23:22:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT