Re: potential security holes in digest authorization from John Franks on 1995-07-17 (ietf-http-wg@w3.org from July to September 1995)

From: John Franks <john@math.nwu.edu>
Date: Mon, 17 Jul 1995 11:53:08 -0500 (CDT)
To: Dave Kristol <dmk@allegra.att.com>
Cc: john@math.nwu.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199507171653.LAA04403@hopf.math.nwu.edu>

According to Dave Kristol:
> John Franks <john@math.nwu.edu> said:
>   [regarding my proposal to embed hostname in the password file line]
>   > This would mean that only one hostname could be used in the URL.  I.e.
>   > even though host.com and www.host.com are the same host, one of the URLs
>   > 
>   > 	http://host.com/secret.doc
>   > and
>   > 	http://www.host.com/secret.doc
>   > 
>   > would have to fail even when the user supplied a valid username/password.
>   > This would be a serious flaw.
> 
> I disagree with the premise.  I wouldn't encode the domain name that
> the user accessed to reach my server.  I would encode the name that the
> server uses for itself, for example the name set by NCSA HTTPD
> ServerName directive.

How is the client supposed to know this?  You'll have to make further
additions to the protocol.  Maybe I am confusing who said what but
didn't you also complain that encoding the hostname would make it
impossible to move the password file to a new host?  This is a good
point and suggests a realm containing the enterprise name, but not the
host name -- something like "group@Enterprise_Name" e.g.
"Engineering@ATT_Bell_Labs".

> 
> Thank you for motivating my second quibble, namely:  I want to be able
> to specify a (user/password) prompt independent of the realm.  I don't
> think much of a realm named "myrealm@www.myplace.com", but maybe I'm
> perverse.  I prefer
> 	Enter username for [prompt that I specify] at www.research.att.com:
> to
> 	Enter username for myrealm@www.myplace.com at www.myplace.com
> 
> Evidently (sigh) I'm the only person in the world who feels this way.
> 

The prompt displayed is entirely up to the browser.  Different
browsers will do it differently with different kinds of dialog boxes.
They seem to all display the realm.  If you want to get them all to
agree to let the server supply the prompt you have a tough task.

There may also be security issues since I could display a prompt 
concealing the fact that I am using a realm identical to someone elses.
Displaying a prompt and a realm would be too much.

This discussion has highlighted the importance of displaying the
realm and users not entering a password unless the realm agrees with
enterprise they are accessing!

John Franks

Received on Monday, 17 July 1995 09:54:21 UTC