RE: Basic Authentication - what do we have?

These are the type of problems that the IETF draft is addressing, i.e.
the one that Thomas recently named:

http://www.ietf.org/internet-drafts/draft-hartman-webauth-phishing-03.tx
t 

When this draft becomes RFC, we should consider providing a reference to
it. See for example some recommendations/requirements from that draft:

- The web authentication solution MUST support passwords and MUST be
secure even when passwords are commonly used

- Websites must never receive information such as passwords that can be
used to impersonate the user to third parties

- when a user authenticates to a website, the website MUST NOT receive a
strong password equivalent

....
---
Luis
-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Serge Egelman
Sent: den 25 juni 2007 19:32
To: Doyle, Bill
Cc: yngve@opera.com; Mary Ellen Zurko; public-wsc-wg@w3.org
Subject: Re: Basic Authentication - what do we have?


If we actually consider the threat model here, I'm not sure how adding
encryption is going to help the user.  How many cases of identity theft
have we seen where the credentials were sniffed during transmission?
While encryption certainly doesn't hurt, the biggest threat comes from a
backend database being hacked (out of scope) or when a spoofed site
receives the information directly (in scope).  In the case of the
latter, using SSL/TLS certainly won't help matters.

One idea I've been toying with is forcing the user to enter a domain
name in these dialog boxes (if the user has never interacted with this
domain before).  The browser could then compare the desired destination
with the actual one before it sends any information.  Of course, the
problem is making this unspoofable, which then goes back to the
"distinguishing chrome from content" problem...

serge

Doyle, Bill wrote:
> This is server side or application processing, is this out?
> 
> Recommendation
> 
> HTTP Basic Authentication - Basic Authentication passes credentials 
> (ID
> /PW) in the HTTP header in clear text. This form of authentication 
> requires additional security services to be considered secure. Options

> to secure HTTP basic authentication include HTTPs (SSL / TLS) and use 
> of VPN technology.
> 
> Bill
> wdoyle@mitre.org
> 
> 
> 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Yngve Nysaeter 
> Pettersen
> Sent: Monday, June 25, 2007 10:55 AM
> To: Mary Ellen Zurko; public-wsc-wg@w3.org
> Subject: Re: Basic Authentication - what do we have?
> 
> 
> On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
> 
>> What do we have in our set of proposals that addresses trust
> decisions
>> posed by Basic Authentication? The realm information (within the
> modal
>> dialog in the browser I use) is set by the web site. The browser I
> use
>> puts the domain in the title bar. When I have the resolution on my 
>> display cranked down to increase the size of everything (something I 
>> do more
> and
>> more these days), the most pertinent part of the domain is truncated
> from
>> the right hand side of the dialog's title display. I very much want
> to
>> know that the domain ends in "ibm.com" when I think I'm typing in my
> IBM
>> password. What, if anything, do we have in our proposals that
> addresses
>> this?
> 
> I don't recall having seen anything about this, at least major 
> discussion.
> 
> I think a discussion of this should not be limited to Basic, but 
> should
> 
> include the other methods, such as Digest and NTLM/Negotiate, as well.
> 
> Opera displays the servername as a field inside the dialog, as well as

> the realm, which is presented as a message from the server.
> 
> We are currently considering what we display in this dialog and how it

> is displayed, from both a usability and a security point of view.
> 
> Parts of what is being considered are:
> 
>   - How to present the security of the credential transmission
> 
>   - How to present the identity (at least the hostname) of who is 
> asking for the credentials in a usable manner. This is a problem that 
> is not restricted to authentication, but extends to such areas as the 
> display of the URL in address bar and determining if two servers are 
> allowed to share cookies. See references below for some discussion and

> background on that.
> 
> 
>   http://my.opera.com/yngve/blog/show.dml/267415
>  
> http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_lis
> t
> _help_wanted.html
>   http://wiki.mozilla.org/Gecko:Effective_TLD_Service
> 
> 
> 

--
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly Carnegie
Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students */

Received on Tuesday, 26 June 2007 11:22:21 UTC