Re: Basic Authentication - what do we have? from Anil Saldhana on 2007-06-25 (public-wsc-wg@w3.org from June 2007)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Mon, 25 Jun 2007 14:10:02 -0500
To: yngve@opera.com
CC: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
Message-ID: <4680130A.2020509@redhat.com>

I would not consider BASIC, DIGEST, NTLM as anywhere near secure.

Yngve Nysaeter Pettersen wrote:
>
> On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
>
>> What do we have in our set of proposals that addresses trust decisions
>> posed by Basic Authentication? The realm information (within the modal
>> dialog in the browser I use) is set by the web site. The browser I use
>> puts the domain in the title bar. When I have the resolution on my 
>> display
>> cranked down to increase the size of everything (something I do more and
>> more these days), the most pertinent part of the domain is truncated 
>> from
>> the right hand side of the dialog's title display. I very much want to
>> know that the domain ends in "ibm.com" when I think I'm typing in my IBM
>> password. What, if anything, do we have in our proposals that addresses
>> this?
>
> I don't recall having seen anything about this, at least major 
> discussion.
>
> I think a discussion of this should not be limited to Basic, but 
> should include the other methods, such as Digest and NTLM/Negotiate, 
> as well.
>
> Opera displays the servername as a field inside the dialog, as well as 
> the realm, which is presented as a message from the server.
>
> We are currently considering what we display in this dialog and how it 
> is displayed, from both a usability and a security point of view.
>
> Parts of what is being considered are:
>
>  - How to present the security of the credential transmission
>
>  - How to present the identity (at least the hostname) of who is 
> asking for the credentials in a usable manner. This is a problem that 
> is not restricted to authentication, but extends to such areas as the 
> display of the URL in address bar and determining if two servers are 
> allowed to share cookies. See references below for some discussion and 
> background on that.
>
>
>  http://my.opera.com/yngve/blog/show.dml/267415
>  http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list_help_wanted.html 
>
>  http://wiki.mozilla.org/Gecko:Effective_TLD_Service
>
>
>

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/

Received on Monday, 25 June 2007 19:10:38 UTC