Re: Authentication and TCP Connection State from Willy Tarreau on 2014-10-03 (ietf-http-wg@w3.org from October to December 2014)

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 3 Oct 2014 21:01:29 +0200
To: Michael B Allen <ioplex@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20141003190129.GF11824@1wt.eu>

On Fri, Oct 03, 2014 at 01:31:15PM -0400, Michael B Allen wrote:
> On Fri, Oct 3, 2014 at 12:22 PM, Matthew Cox <macox@microsoft.com> wrote:
> > It doesn't work, but we had a proposal a couple years ago to address this: http://tools.ietf.org/id/draft-montenegro-httpbis-multilegged-auth-01.txt
> 
> Rats. This is absolutely going to block HTTP/2 in the enterprise. And
> even after clients are updated (and we're not just talking about
> browsers), how will the client even know it needs to serialize
> requests?
> 
> Only the server knows if authentication is required. I think the
> server should provide a TCP-level option that makes the server
> serialize until the first 200 status is reached. I can imagine there
> are numerous instances where it logically and conceptually should
> block to the first 20x to "negotiate" something. I suspect it already
> does (TLS/SSL).
> 
> This whole "HTTP is stateless" business is just false. HTTP is NOT
> stateless. Cookies and sessions are hacks to work-around this fact.

No this is wrong. HTTP *is* stateless, it's just that people didn't
know it and invented a crappy insecure authentication mechanism which
authenticates the TCP connection instead of the requests. Result:
anybody behind a proxy can share anyone else's connection, and I guess
that all subscribers on this WG have already done it at least for fun
in such enterprises.

The HTTP/1 spec is very clear on this : requests are independant. So
there's nothing in the first request that precludes what will happen
to the second request, and it's perfectly legit to transport multiple
users between a proxy and a server over the same TCP connection.

Problems are already very common when using NTLM which expects
keep-alive to be granted when some components close the connection
after a response (which is perfectly valid as well). I think that
HTTP/2 will take more time to be deployed in enterprises because
of this, but at the same time it will incite admins to finish their
migration to get away from this total security and interoperability
failure which has lasted more than a decade.

Regards,
Willy

Received on Friday, 3 October 2014 19:01:54 UTC