W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: #539: mention TLS vs plain text passwords or dict attacks?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Jan 2014 15:04:17 +0100
Message-ID: <52DFCFE1.7010002@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-01-02 10:27, Julian Reschke wrote:
> Hi there,
> in the IESG feedback, we were asked by Sean Turner and Stephen Farrell
> to mention TLS in part 7:
> Sean Turner:
>> 1) So I guess the reason we're not saying TLS is an MTI with
>> basic/digest is that that's getting done in an httpauth draft? It
>> really wouldn't hurt to duplicate that while we're getting the other
>> one done (I know you *don't* want a reference to that draft).
> Stephen Farrell:
>> Please check the secdir review. (​​
>> http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I
>> agree with the comment that this really should have some mention of
>> using TLS to protect basic/digest, even if that ought also be elsewhere.
> However, P7 currently does not attempt to discuss security
> considerations that would be specific to particular authentication schemes.
> Basic and Digest are defined in RFC 2617, and already have these
> warnings in their Security Considerations. The same will be true for the
> replacement specs the HTTPAUTH WG is working on.
> Thus I'd like to close this as WONTFIX -- feedback appreciated!
> Best regards, Julian

Proposed change 

"Challenges and responses are transmitted in header field values, and 
thus can easily leak information when not using a secured connection. 
Depending on the type of the authentication scheme, it therefore can be 
necessary to use a TLS-secured connection ("Transport Layer Security", 

Amos, if you want to tune this to clarify that there are other ways to 
secure the bits, please go ahead and make a proposal...

Best regards, Julian
Received on Wednesday, 22 January 2014 14:04:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:23 UTC