Re: [UMP] Proxy-Authorization

On Mon, Jan 11, 2010 at 5:06 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, Jan 11, 2010 at 12:40 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Sun, Jan 10, 2010 at 2:25 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> More abstractly, why aren't we worrying about P misbehaving based on
>>> the ambient authority in R (i.e., the Proxy-Authentication
>>> information)?  Why do the security considerations for the
>>> Proxy-Authorization header differ from the security considerations for
>>> the Authorization header?
>>
>> The resource host decides whether or not to accept a request, what
>> side-effects are caused, and what information is put in the response.
>> We want to prevent ambient authority from having an effect on these
>> decisions by the resource host.
>
> I'm not sure why we're concerned about misuses of ambient authority by
> the resource host but not by the proxy.  If we can trust one to
> operate correctly, why can't we trust the other?

The proxy is only in a position to affect network connectivity,
especially for https: resources where SSL ensures this property.
Similar to client IP address and firewall issues, the UMP is not in a
position to affect access-control decisions based on network
connectivity. The UMP can affect decisions based on credentials issued
by a site to a client and these are the most interesting anyways,
since these are the ones that resources on the public Web commonly
depend upon. The UMP is a tool to help resource authors. A resource
author is not commonly in a position to require use of an
authenticating HTTP proxy.

>> The proxy is presumably semantically
>> transparent and so has no impact on these decisions by the resource
>> host. For https: resources, this transparency is cryptographically
>> enforced by the SSL protocol, which tunnels the connection through the
>> proxy.
>
> This seems like a shaky assumption.  For example, imagine a private
> network that allows VPN access via an authenticating proxy.

What security properties are you claiming for this setup?

>  Now, the
> ambient authority provided by Proxy-Authentication embues the attacker
> with the ability to issue UMP requests inside the VPN.

<form> and others already embue the attacker with greater access to
VPN resources, since issued credentials are also included.

> It just seems like the reason for preferring UMP over CORS is that
> we're worried that ambient authority will lead to security
> vulnerabilities.  If that's really a problem, we should remove all
> ambient authority.

Does the first clause of your last sentence imply that you don't
believe CSRF, clickjacking and related attacks are really problems?

It's not feasible to remove all ambient authority. For example, the
client has the authority to send requests from its IP address. So we
draw a line between network connectivity and issued credentials. Proxy
credentials provide network connectivity.

Also, as a practical matter, disallowing Proxy-Authorization might
inhibit use of UMP, since a resource author would be concerned about
the loss of users who are required to use a proxy.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Tuesday, 12 January 2010 18:51:57 UTC