RE: New version of Passwords in the Clear from noah_mendelsohn@us.ibm.com on 2006-11-15 (www-tag@w3.org from November 2006)

From: <noah_mendelsohn@us.ibm.com>
Date: Wed, 15 Nov 2006 14:44:33 -0500
To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>
Cc: "John Cowan" <cowan@ccil.org>, "Vincent Quint" <Vincent.Quint@inrialpes.fr>, www-tag@w3.org, www-tag-request@w3.org
Message-ID: <OFABE396D4.822DF3B5-ON85257227.0067287D-85257227.00682623@lotus.com>
Ed Rice asks:

> Are you suggesting that if the server application is accessed via a VPN
> than it should be ok for the password to be transmitted without an
> Secure Socket?

No, I don't think what I wrote suggests that at all.

"Definition:  Accordingly, we say that a message or a password is "in the 
clear" if the representation used to transmit it is likely to be decodable 
by those other than the intended receiver."

> If that's the case, than anyone on the same VPN has access to the 
> password as well, and since most vulnerabilities happen within the 
> confines of the 'corporate' firewall.. I'm not sure that an adequate
> safeguard. 

Indeed.  But I think if you look at what I wrote it's quite appropriate. 
Specifically:

I wrote:

"In fact, I think it's a rather subtle concept, because it's relative to 
who you think is doing the looking."

Your VPN is a good example of that.  You've decided that you care about 
people who are trying to "look" from within the corporate network as well 
as outside.  VPN doesn't purport to deal 

I wrote:

"Accordingly, this finding takes the position that, unless additional 
means are used to protect the content, any message sent using HTTP over 
(unencrypted)  TCP should be presumed to be "in the clear", and thus 
vulnerable to unintended inspection."

I carefully avoided saying the converse, which would have been that 
picking an arbitrary encryption or security approach such as VPN would 
necessarily give you protection appropriate to your use case.  The 
definition above still applies.

I wrote:

"A message sent using encryption is viewed as being "not in the clear" to 
the extent that the encryption used is sufficiently difficult to decode by 
unintended receivers, I.e. that its methods a robust against decoding 
without a
key, and that key distribution is done sufficiently carefully that 
unintended recipients are unlikely to obtain the necessary keys."

In the case of your example, you've decided that the intended recievers do 
not include some of the other folks who are on the same corporate network. 
 Accordingly, your VPN+HTTP Basic is not a suitably secure combination, 
because as you say passwords will tend to be unencrypted when users on the 
corporate network go looking for them.

Indeed, the whole reason I suggested clarifying the finding is that it 
gives a strong admonition not to "send passwords in the clear" without 
pointing to any defintion of what "in the clear means".  Your VPN is one 
of many that suggest that the concept is not self-evident, because HTTP 
Basic over VPN is indeed opaque to typical users of the "public" network, 
but potentially "in the clear" once the message starts moving around the 
corporate network.    So, I still think clarification would be helpful.

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------








"Rice, Ed (ProCurve)" <ed.rice@hp.com>
Sent by: www-tag-request@w3.org
11/15/2006 01:02 PM
 
        To:     <noah_mendelsohn@us.ibm.com>, "John Cowan" 
<cowan@ccil.org>
        cc:     "Vincent Quint" <Vincent.Quint@inrialpes.fr>, 
<www-tag@w3.org>
        Subject:        RE: New version of Passwords in the Clear



Noah,

Are you suggesting that if the server application is accessed via a VPN
than it should be ok for the password to be transmitted without an
Secure Socket?  If that's the case, than anyone on the same VPN has
access to the password as well, and since most vulnerabilities happen
within the confines of the 'corporate' firewall.. I'm not sure that an
adequate safeguard.

The only possible exception I could see would be if you had only two
computers on your network and they're together in a locked room.  But
then its outside of the scope of the world wide web so the finding
doesn't apply.

My 2c.
-Ed
 

-----Original Message-----
From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
Of noah_mendelsohn@us.ibm.com
Sent: Tuesday, November 14, 2006 9:21 AM
To: John Cowan
Cc: Vincent Quint; www-tag@w3.org
Subject: Re: New version of Passwords in the Clear


John Cowan writes:

> Vincent Quint scripsit:
> 
> > Thanks to Ed, a new version of the draft finding "Passwords in the
Clear"
> > is available at:
> > 
> >
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20061113.html
> >    http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> 
> This draft mentions HTTP basic authentication only obliquely; it 
> should make it clear that using it is an instance of
passwords-in-the-clear.

I wonder whether the problem isn't the failure of the finding to more
"clearly" define the phrase "in the clear". 

In fact, I think it's a rather subtle concept, because it's relative to
who you think is doing the looking.  We think of http basic being "in
the clear" when used over ordinary TCP connections, but less so over SSL
or other "encrypted" connections.  Why?  I think it's because we
understand that, as the finding pretty much says, messages sent using
HTTP basic without SSL wind up in a lot of places where a lot of people
have the tools necessary to see them in their original form, i.e. as
plain text. 
There are log viewers, proxy caches that can be searched, etc.  It's
assumed that many fewer people, if any, have the tools to crack digest
authentication, so in that sense passwords sent using digest are in the
clear for a much smaller community, and indeed we hope only for the
intended recipient.  Indeed, perspectives on what's 'in the clear' may
change over time.  I believe there was a time when if you said that you
were using spread spectrum transmission techniques the military would
have presumed you were using an advanced encrypted radio channel.  Now
we all have 802.11 receivers that readily "crack" at least one form of
spread spectrum transmission.

So, I wonder whether it would be worth more carefully defining what we
mean by "in the clear"?

=========SUGGESTED ROUGH DRAFT OF NEW SECTION ==========================

2. When is a transmission "In The Clear"?

Computer messages are encoded at a variety of levels.  For example, text
may be encoded using Unicode, which in turn is represented using some
transmission protocol, and ultimately transmitted or stored as
electrical impulses, optical brightness levels, magnetic polarizations,
etc. If you have the necessary equipment and are able to decode the
encodings used, you can retrieve the information in a message.

This finding concerns itself with assuring that certain messages, and in
particular passwords transmitted in such messages, be safely hidden from
those who are not intended to receive them. 

Definition:  Accordingly, we say that a message or a password is "in the
clear" if the representation used to transmit it is likely to be
decodable by those other than the intended receiver.

In particular, we observe that messages transmitted using HTTP over TCP
(as opposed to HTTP over an encrypted channel such as SSL or TLS) tend
to be decodable from message logs, from Web caches, by using packet
sniffers, and with a wide variety of other commonly available tools and
software libraries.  Accordingly, this finding takes the position that,
unless additional means are used to protect the content, any message
sent using HTTP over (unencrypted)  TCP should be presumed to be "in the
clear", and thus vulnerable to unintended inspection.

One common means to ensure that messages or portions of messages are not
in the clear is through use of encryption, by which we mean encodings
that are easy to decode when certain particular information such as a
key is available, but impractically difficult to decode otherwise.
Encryption may be used to encode a message prior to submission for
transmission, or may be achieved as a byproduct of using an encrypted
channel (which typically only protects the message while it's in
transit, as opposed to at the sender or receiver.)  A message sent using
encryption is viewed as being "not in the clear" to the extent that the
encryption used is sufficiently difficult to decode by unintended
receivers, I.e. that its methods a robust against decoding without a
key, and that key distribution is done sufficiently carefully that
unintended recipients are unlikely to obtain the necessary keys. 

=========END SUGGESTED ROUGH DRAFT OF NEW SECTION
==========================

With that in hand, I think the admonitions to "not solicit" passwords in
the clear and not "transmit passwords in the clear" take on some teeth. 
This definition allows us to do what I think John is asking, which is to
talk a bit more about basic vs. digest authentication, and to explain
the senses in which each is or isn't "in the clear", when transmitted
using ordinary HTTP over TCP vs HTTP over SSL or TLS.

Thanks.

Noah

--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------
Received on Wednesday, 15 November 2006 18:59:11 UTC