Re: Chained proxies, persistent connections, authentication

With the http authentication framework, only requests are authenticated  
never connections. If a proxy extends authentication to the (persistent)
connection, it introduces a security hole such as you observed.


Am Donnerstag, 23.10.03, um 16:31 Uhr (Europe/Berlin) schrieb Rob  

> I am currently investigating a problem that occurs in this type of  
> scenario:
> browser -> proxy1 -> proxy2 -> server
> Proxy1 is actually a Squid proxy, it is passing though the end-user  
> authentication to proxy2.  The problem occurs because proxy1 is  
> reusing connections to proxy2 for requests from different users, but  
> proxy2 is only authenticating the first request on each new  
> connection.  This means that subsequent requests are not being  
> authenticated, and these requests are being treated as if they  
> originated from the first user to use the connection. 
> Which proxy is at fault?  I understood that one of the intended  
> benefits of persistent connections was that a proxy would only have to  
> authenticate the first request on each connection, which is a huge  
> performance benefit.  But ths assumes that a downstream proxy that  
> passes through user authentication will not re-use the connection for  
> different users.  Having said that, so far I have been unable to find  
> any specification that says a proxy need only authenticate the first  
> request on each connection.
> I'd appreciate any thoughts on the matter,
> Rob Maidment.
> ----------------------------------------------------------------------- 
> ----------------------------------------
> Clearswift monitors, controls and protects all its messaging traffic in
> compliance with its corporate email policy using Clearswift products.
> Find out more about Clearswift, its solutions and services at
> *********************************************************************** 
> ************
> This communication is confidential and may contain privileged
> information intended solely for the named addressee(s). It may not
> be used or disclosed except for the purpose for which it has been
> sent. If you are not the intended recipient, you must not copy,
> distribute or take any action in reliance on it. Unless expressly  
> stated,
> opinions in this message are those of the individual sender and not of
> Clearswift. If you have received this communication in error, please
> notify Clearswift by emailing quoting the
> sender and delete the message and any attached documents. Clearswift  
> accepts no liability or responsibility for any onward transmission or  
> use of emails and attachments having left the Clearswift domain.
> This footnote confirms that this email message has been swept by
> MIMEsweeper for Content Security threats, including computer viruses.

Received on Thursday, 23 October 2003 10:40:33 UTC