Re: Basic Authentication behavior from David W. Morris on 1997-09-02 (ietf-http-wg@w3.org from July to September 1997)

From: David W. Morris <dwm@xpasc.com>
Date: Tue, 2 Sep 1997 13:52:37 -0700 (PDT)
To: John Franks <john@math.nwu.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.GSO.3.96.970902134147.8423D-100000@shell1.aimnet.com>

On Tue, 2 Sep 1997, John Franks wrote:

> The server has a directory /dir protected by Basic auth and
> using realm "realm1".  There is a subdirectory /dir/sub/ which
> is also protected by Basic auth but with a different realm and
> different user/password data base.
>[...] 
> But upon reflection, I am not so sure.  Here are some points to
> consider:
> 
> When the browser requests /dir/sub/foo2 it essentially is *guessing*
> the username/password pair.  At this point it has no way of knowing
> that the realm is different.  The guess usually will be right.  A
> successful guess will eliminate a round trip exchange of challenge and
> response.  On the other hand the server has no way of knowing that
> the client is using a different realm so it can only try the username
> and password with the realm2 data base.  This would normally fail
> and I am not sure if there would be any adverse effects beyond 
> extra load on the server and confusing server logs with a great many
> authentication failures.
> 
> For the browser in question, when the subdirectory authentication fails
> the user gets a failure message and an opportunity to retry.  At this
> point the browser knows the realms are different, so at least the
> failure message is a bug (IMHO).
> 
> Any thoughts on this?  Should the specifcation discourage this type
> of password guessing?

I prefer the guessing to continue from a performance and usability
perspective since I believe the number of cases of different protection
for a sub-tree to be far fewer than the number of cases where the same
protection applies.

It should be trivial for your example browser to notice the realm change
and not issue the error dialog.

Basic authentication is so problematic re. protection of passwords that
I don't see this guessing as making a significant difference to security
protection. There are significant fish to fry like encouraging 
servers to not require system user directory entries for web user access,
like getting digest authentication adopted, etc.

Dave Morris

Received on Tuesday, 2 September 1997 13:57:03 UTC