Re: #539: mention TLS vs plain text passwords or dict attacks?

On 2014-01-22 15:04, Julian Reschke wrote:
> On 2014-01-02 10:27, Julian Reschke wrote:
>> Hi there,
>>
>> in the IESG feedback, we were asked by Sean Turner and Stephen Farrell
>> to mention TLS in part 7:
>>
>> Sean Turner:
>>
>>> 1) So I guess the reason we're not saying TLS is an MTI with
>>> basic/digest is that that's getting done in an httpauth draft? It
>>> really wouldn't hurt to duplicate that while we're getting the other
>>> one done (I know you *don't* want a reference to that draft).
>>
>> Stephen Farrell:
>>
>>> Please check the secdir review. (​​
>>> http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I
>>> agree with the comment that this really should have some mention of
>>> using TLS to protect basic/digest, even if that ought also be elsewhere.
>>
>> However, P7 currently does not attempt to discuss security
>> considerations that would be specific to particular authentication
>> schemes.
>>
>> Basic and Digest are defined in RFC 2617, and already have these
>> warnings in their Security Considerations. The same will be true for the
>> replacement specs the HTTPAUTH WG is working on.
>>
>> Thus I'd like to close this as WONTFIX -- feedback appreciated!
>>
>> Best regards, Julian
>
> Proposed change
> (<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/539/539.diff>):
> add
>
> "Challenges and responses are transmitted in header field values, and
> thus can easily leak information when not using a secured connection.
> Depending on the type of the authentication scheme, it therefore can be
> necessary to use a TLS-secured connection ("Transport Layer Security",
> [RFC5246])."
>
> Amos, if you want to tune this to clarify that there are other ways to
> secure the bits, please go ahead and make a proposal...
>
> Best regards, Julian

...and applied with 
<http://trac.tools.ietf.org/wg/httpbis/trac/changeset/2571>.

Best regards, Julian

Received on Thursday, 23 January 2014 14:28:04 UTC