W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: #539: mention TLS vs plain text passwords or dict attacks?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 23 Jan 2014 15:27:32 +0100
Message-ID: <52E126D4.3070504@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-01-22 15:04, Julian Reschke wrote:
> On 2014-01-02 10:27, Julian Reschke wrote:
>> Hi there,
>> in the IESG feedback, we were asked by Sean Turner and Stephen Farrell
>> to mention TLS in part 7:
>> Sean Turner:
>>> 1) So I guess the reason we're not saying TLS is an MTI with
>>> basic/digest is that that's getting done in an httpauth draft? It
>>> really wouldn't hurt to duplicate that while we're getting the other
>>> one done (I know you *don't* want a reference to that draft).
>> Stephen Farrell:
>>> Please check the secdir review. (​​
>>> http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I
>>> agree with the comment that this really should have some mention of
>>> using TLS to protect basic/digest, even if that ought also be elsewhere.
>> However, P7 currently does not attempt to discuss security
>> considerations that would be specific to particular authentication
>> schemes.
>> Basic and Digest are defined in RFC 2617, and already have these
>> warnings in their Security Considerations. The same will be true for the
>> replacement specs the HTTPAUTH WG is working on.
>> Thus I'd like to close this as WONTFIX -- feedback appreciated!
>> Best regards, Julian
> Proposed change
> (<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/539/539.diff>):
> add
> "Challenges and responses are transmitted in header field values, and
> thus can easily leak information when not using a secured connection.
> Depending on the type of the authentication scheme, it therefore can be
> necessary to use a TLS-secured connection ("Transport Layer Security",
> [RFC5246])."
> Amos, if you want to tune this to clarify that there are other ways to
> secure the bits, please go ahead and make a proposal...
> Best regards, Julian

...and applied with 

Best regards, Julian
Received on Thursday, 23 January 2014 14:28:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:23 UTC