- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 25 Jun 2007 13:32:00 -0400
- To: "Doyle, Bill" <wdoyle@mitre.org>
- CC: yngve@opera.com, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
If we actually consider the threat model here, I'm not sure how adding encryption is going to help the user. How many cases of identity theft have we seen where the credentials were sniffed during transmission? While encryption certainly doesn't hurt, the biggest threat comes from a backend database being hacked (out of scope) or when a spoofed site receives the information directly (in scope). In the case of the latter, using SSL/TLS certainly won't help matters. One idea I've been toying with is forcing the user to enter a domain name in these dialog boxes (if the user has never interacted with this domain before). The browser could then compare the desired destination with the actual one before it sends any information. Of course, the problem is making this unspoofable, which then goes back to the "distinguishing chrome from content" problem... serge Doyle, Bill wrote: > This is server side or application processing, is this out? > > Recommendation > > HTTP Basic Authentication - Basic Authentication passes credentials (ID > /PW) in the HTTP header in clear text. This form of authentication > requires additional security services to be considered secure. Options > to secure HTTP basic authentication include HTTPs (SSL / TLS) and use > of VPN technology. > > Bill > wdoyle@mitre.org > > > > > -----Original Message----- > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Yngve Nysaeter > Pettersen > Sent: Monday, June 25, 2007 10:55 AM > To: Mary Ellen Zurko; public-wsc-wg@w3.org > Subject: Re: Basic Authentication - what do we have? > > > On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko > <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > >> What do we have in our set of proposals that addresses trust > decisions >> posed by Basic Authentication? The realm information (within the > modal >> dialog in the browser I use) is set by the web site. The browser I > use >> puts the domain in the title bar. When I have the resolution on my >> display >> cranked down to increase the size of everything (something I do more > and >> more these days), the most pertinent part of the domain is truncated > from >> the right hand side of the dialog's title display. I very much want > to >> know that the domain ends in "ibm.com" when I think I'm typing in my > IBM >> password. What, if anything, do we have in our proposals that > addresses >> this? > > I don't recall having seen anything about this, at least major > discussion. > > I think a discussion of this should not be limited to Basic, but should > > include the other methods, such as Digest and NTLM/Negotiate, as well. > > Opera displays the servername as a field inside the dialog, as well as > the > realm, which is presented as a message from the server. > > We are currently considering what we display in this dialog and how it > is > displayed, from both a usability and a security point of view. > > Parts of what is being considered are: > > - How to present the security of the credential transmission > > - How to present the identity (at least the hostname) of who is > asking > for the credentials in a usable manner. This is a problem that is not > restricted to authentication, but extends to such areas as the display > of > the URL in address bar and determining if two servers are allowed to > share > cookies. See references below for some discussion and background on > that. > > > http://my.opera.com/yngve/blog/show.dml/267415 > > http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list > _help_wanted.html > http://wiki.mozilla.org/Gecko:Effective_TLD_Service > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 25 June 2007 17:33:00 UTC