Re: Authentication and TCP Connection State from Ilari Liusvaara on 2014-10-03 (ietf-http-wg@w3.org from October to December 2014)

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Fri, 3 Oct 2014 22:22:39 +0300
To: Michael B Allen <ioplex@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20141003192239.GA348@LK-Perkele-VII>

On Fri, Oct 03, 2014 at 12:10:55PM -0400, Michael B Allen wrote:
> An HTTP authentication sequence looks something like:
> 
>     C: GET /some/thing/6678
>     S: 401 Unauthorized
>        WWW-Authenticate: MyAwsomeAuth XlwYXNzd29yZA...
> 
>     C: GET /some/thing/6678
>        Authorization: NTLM MyAwsomeAuth bGxXwYXbxXlYX...
>     S: 200 OK
> 
> The way this is implemented on the server is to create some
> authentication state and associate it with the client TCP connection
> using the client's IP and remote port as an index into a map of
> ongoing authentication state objects.
> 
> My question is, can HTTP/2 clients submit multiple requests on the
> same TCP connection without waiting for responses?
> 
> If yes, how could HTTP authentication possibly work when there would
> be no way to lookup the correct authentication state object associated
> with the submitted auth token?

Basically, most authentication methods are associated with the request,
but some (the most well-known one is Negotiate) is associated with
connection.

Request-associated authentication work with both HTTP/1.1 and HTTP/2.

Some of these methods are stateful (authentication state is carried
between requests).

Connection-associated authentication is not reliable in HTTP/1.1 and
things are even worse in HTTP/2. Heck, there is a note in the IANA
registration about Negotiate about breaking assumptions and specs.

> This whole "HTTP is stateless" business is just false. HTTP is NOT
> stateless. Cookies and sessions are hacks to work-around this fact.

Browsers assume HTTP is stateless. And when one secretly breaks that
assumption (e.g. cookies) security holes result (and this has nothing
to do with bearer nature of cookies).

And even cases where browser knows things are stateful (e.g. HTTP
authentication), that information is not really used, so pretty much
the same secuirity holes are still there.

And attacks targetting these holes do happen in the real world.

-Ilari

Received on Friday, 3 October 2014 19:23:04 UTC