- From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Date: Mon, 10 Jun 1996 10:48:45 +0200 (MET DST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Paul Leach <paulle@microsoft.com> writes: >>From: Hallvard B Furuseth[SMTP:h.b.furuseth@usit.uio.no] >> >>If I set up a server with Digest Authentication, a Man in the Middle or >>Counterfeit Server could simply remove it and ask the client for Basic >>Authentication instead. The user will type in his password, "knowing" >>that it cannot be decrypted. > > Clients that care will refuse to send Basic. True. > Browsers need to be configurable to allow them to say that -- but > that's not a protocol issue. Why not? You could define a Secure Client Standard for what clients (who follow that standard) must tell the user when they ask interactively for passwords. True, this would not be part of the protocol. The protocol issue would be a header which lets the client say "I follow (version XXX of) the Secure Client Standard". Or an alternative to the WWW-Authenticate: header which only clients that follow (version XXX or above of) the Secure Client Standard may obey, combined with a way for a server to ask client "Do you follow the Secure Client Standard?". The latter so that a server can refrain from asking careless clients for passwords. Of course the client may be lying, or have some weird definition of "interactive" or "telling the user" -- THAT is not protocol issue. But it does give me teeth when I complain about a client which disclosed a user's password even though my WWW service only asks users with secure clients for passwords. > Browsers should also probably remember sites that used Digest > Auth once, and insist on it later. I think that protects against MITM but not a counterfeit server (which may live on some other site). > We should clarify the security considerations sections to be more > explicit how to make sure that Digest is actually used, so that its > protections against MITM and counterfeit servers can be enjoyed. Good. >>Sigh -- I didn't want to learn that much about WWW security; all I >>wanted was to write a simple WWW service which authenticates the user >>via his UNIX password... > > Use Digest. Can't. I think I need SSL/SHTTP; a Digested password can't be decrypted and checked against the Unix passwd file. Anyway, I'll go to some newsgroup with that one. Regards, Hallvard
Received on Monday, 10 June 1996 02:20:16 UTC