- From: Bob Denny <rdenny@dc3.com>
- Date: Fri, 24 May 1996 06:57:25 -0700
- To: Dave Kristol <dmk@allegra.att.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Dave, et.al -- I've been 100% silent (workload issue) so pardon my intrusion at this late date. However, the following is unsettling to me: > An even better MITM attack would be to remove all offered choices, and > to insert a challenge that requests Basic authentication. For this > reason, user agents that are concerned about this kind of attack could > remember the strongest authentication scheme ever requested by a > server and produce a warning message that requires user confirmation > before using a weaker one. What if this MITM attack begins at the first transaction between the client and server? What's to remember? I consider this to be a serious flaw in offering a choice of authentication methods. Why do it at all? If the user EVER uses the weaker choice, his credentials have been exposed at that (lowest) strength. As you pointed out, offering stronger choices serves only to protect credentials anyway. Furthermore, if the same user authenticates at varying strengths, and the attacker solves the problem at the lowest strength, he may be in a position to mount a known ciphertext attack against the stronger ones. So the presence of the weaker choices serves to weaken the stronger choices. I believe that the server should require authentication at one strength only, as configured for the target object by the server or content administrator. This of course puts a roadblock in the way of implementing stronger methods (e.g., Simple MD5). If the server requires strong authentication and the browser doesn't support it, the user can't use the target object. > A particularly insidious way to mount such a MITM attack would be to offer a > "free" proxy caching service to gullible users. Yeah, just sit there and wait for the access restricted documents to land in your cache. -- Bob
Received on Friday, 24 May 1996 06:59:34 UTC