Re: Basic Authentication - what do we have?

If we actually consider the threat model here, I'm not sure how adding
encryption is going to help the user.  How many cases of identity theft
have we seen where the credentials were sniffed during transmission?
While encryption certainly doesn't hurt, the biggest threat comes from a
backend database being hacked (out of scope) or when a spoofed site
receives the information directly (in scope).  In the case of the
latter, using SSL/TLS certainly won't help matters.

One idea I've been toying with is forcing the user to enter a domain
name in these dialog boxes (if the user has never interacted with this
domain before).  The browser could then compare the desired destination
with the actual one before it sends any information.  Of course, the
problem is making this unspoofable, which then goes back to the
"distinguishing chrome from content" problem...

serge

Doyle, Bill wrote:
> This is server side or application processing, is this out?
> 
> Recommendation
> 
> HTTP Basic Authentication - Basic Authentication passes credentials (ID
> /PW) in the HTTP header in clear text. This form of authentication
> requires additional security services to be considered secure. Options
> to secure HTTP basic authentication include HTTPs (SSL / TLS) and use
> of VPN technology.
> 
> Bill
> wdoyle@mitre.org
> 
> 
> 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Yngve Nysaeter
> Pettersen
> Sent: Monday, June 25, 2007 10:55 AM
> To: Mary Ellen Zurko; public-wsc-wg@w3.org
> Subject: Re: Basic Authentication - what do we have?
> 
> 
> On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko  
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
> 
>> What do we have in our set of proposals that addresses trust
> decisions
>> posed by Basic Authentication? The realm information (within the
> modal
>> dialog in the browser I use) is set by the web site. The browser I
> use
>> puts the domain in the title bar. When I have the resolution on my  
>> display
>> cranked down to increase the size of everything (something I do more
> and
>> more these days), the most pertinent part of the domain is truncated
> from
>> the right hand side of the dialog's title display. I very much want
> to
>> know that the domain ends in "ibm.com" when I think I'm typing in my
> IBM
>> password. What, if anything, do we have in our proposals that
> addresses
>> this?
> 
> I don't recall having seen anything about this, at least major
> discussion.
> 
> I think a discussion of this should not be limited to Basic, but should
> 
> include the other methods, such as Digest and NTLM/Negotiate, as well.
> 
> Opera displays the servername as a field inside the dialog, as well as
> the  
> realm, which is presented as a message from the server.
> 
> We are currently considering what we display in this dialog and how it
> is  
> displayed, from both a usability and a security point of view.
> 
> Parts of what is being considered are:
> 
>   - How to present the security of the credential transmission
> 
>   - How to present the identity (at least the hostname) of who is
> asking  
> for the credentials in a usable manner. This is a problem that is not  
> restricted to authentication, but extends to such areas as the display
> of  
> the URL in address bar and determining if two servers are allowed to
> share  
> cookies. See references below for some discussion and background on
> that.
> 
> 
>   http://my.opera.com/yngve/blog/show.dml/267415
>  
> http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list
> _help_wanted.html
>   http://wiki.mozilla.org/Gecko:Effective_TLD_Service
> 
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 25 June 2007 17:33:00 UTC