Re: Security Requirements for HTTP, draft -00 from Stephane Bortzmeyer on 2008-01-28 (ietf-http-wg@w3.org from January to March 2008)

From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Mon, 28 Jan 2008 14:52:50 +0100
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: ietf-http-wg@w3.org
Message-ID: <20080128135250.GA31382@nic.fr>

On Wed, Jan 23, 2008 at 01:59:56PM -0800,
 Paul Hoffman <paul.hoffman@vpnc.org> wrote 
 a message of 9 lines which said:

> Alexey and I have done a small rev on Rob Sayre's earlier document
> describing the security properties of HTTP and how they vary from
> the IETF's "mandatory to implement" policy.

Some remarks about draft-ietf-httpbis-security-properties-00.txt. 

2.1 says "Almost all HTTP authentication is accomplished through HTML
forms, with session keys stored in cookies." This is clearly false. It
is true only if you say "Web authentication for an human sitting
behind a Web browser". But for HTTP, the protocol, which can be used
by other things than Web graphical browsers, it is not my experience,
I use RFC 2617 Basic Authentication or TLS with certificates a
lot. (2.4 mentions these other uses, such as Web services.)

2.1 says "Many users do not understand the construction of URIs
[RFC3986], or their presentation in common clients [[ CITATION NEEDED
]]." A good bibliography (thanks to Mike Beltzner @ Mozilla) is:

"Decision Strategies and Susceptibility to Phishing", Downs, Holbrook
& Cranor
   http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf

"Why Phishing Works", Dhamija, Tygar & Hearst
   http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf

"Do Security Toolbars Actually Prevent Phishing Attacks", Wu, Miller
& Garfinkel
   http://www.simson.net/ref/2006/CHI-security-toolbar-final.pdf

"Phishing Tips and Techniques", Gutmann
   http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf

2.2.1 says "Since Basic credentials are clear text, they are reusable
by any party." It seems to me that this has nothing to with being in
clear text or not. Basic credentials are dangerous because they are
static, not because they are clear text (for which TLS is a
solution).

2.4 says "These protocols usually don't have much in common with the
Architecture of the World Wide Web. It's not clear why term "Web" is
used to group them," I agree that "Web" is not a good term but it does
not mean they are off-topic for us, far from it, since we work on
HTTP, not on "the Web". Also, some of these, like REST, have "a lot in
common with the Architecture of the World Wide Web".

Received on Monday, 28 January 2008 13:53:01 UTC