RE: New version of Passwords in the Clear

Noah,

I don't think we're going to agree on this.  We started with what's
'clear text', now 'what's encryption'.  These are all things that people
can ask if they don't understand and any of us can answer.

My goal is to create a simple paper that everyone can read and
understand.  I'm trying to avoid what the TAG often does which is drill
down so low on the details that nobody bothers to read the paper
anymore, or to make the paper so grey that people can continue to do
whatever they want.   My intent and I believe the paper is clear. 

Is it stronger than some people like?  Sure!  If I owned a site without
a secure connection I would 'prefer' that we didn't pass the finding.
Honestly, I'm more concerned about the user who is using the system and
their personal privacy.   At HP, we take customer privacy very seriously
and we have strict rules about transmitting, storage and access to any
of this information.  I'm not going that far with this paper, all I'm
saying is don't make my password so easy to read that anyone can do it
whenever I access your site.

I honestly respect your opinion very much, sometimes its ok not to
agree.  Ultimately its going to be up to the TAG if they want to publish
this or not.  If the TAG does it will send a clear message, if it
doesn't we'll send an equally clear message.

-Ed

 

-----Original Message-----
From: noah_mendelsohn@us.ibm.com [mailto:noah_mendelsohn@us.ibm.com] 
Sent: Wednesday, November 15, 2006 12:16 PM
To: Rice, Ed (ProCurve)
Subject: RE: New version of Passwords in the Clear

> No, in the clear means that the data is being transmitted over the 
> wire without encryption and is readily available to anyone with a 
> sniffer (as I point out in the paper).

But what's encryption?  You yourself gave the example of a VPN.  Is HTTP
basic over VPN encrypted?  Yes with respect to certain kinds of access,
typically no with respect to hops made before or after the VPN-protected
part of the transmission.

And what does it mean to "transmit over the wire" anyway?  As I said in
my note, it ultimately tends to involve layers of encoding that gets
down to some physical representation as light, electricity and/or
magnetism. Using key-based encryption at one layer or another seems to
me to be just one way of protecting a message from access by certain
unintended parties. 

The story I think you're trying to tell is:  so many messages on the Web
are routed in uncontrolled ways, buffered in unexpected places, etc.,
that it's usually a bad bet to depend on mechanisms other than
end-to-end encryption when data such as a password is to be protected
from access by other than the original sender or ultimate receiver (the
end-to-end argument [1-3], as usual).  So, making the assumption that
HTTP is handled in such uncontrolled ways, and noting that basic
authentication provides no additional encryption for passwords, we
suggest that when in doubt basic authentication should be avoided,
particularly when one or more portions of the transmission path are
unencrypted.

Though others on the TAG seemed OK with it, and I won't stand in the way
if that's what they want, I don't think saying "don't send things in the
clear" means very much, unless you clarify with some technical rigor
what "in the clear" is.

Noah

P.S. As I may have mentioned once or twice, the paper referenced below
is one of my favorites. If you haven't read it, I highly recommend it.
One of the truly fundamental pieces of work in computer science, and the
philosophical underpinning of the internet as we know it.  I'd start
with [1], which is a retrospective, and then read the paper itself at
[2]. 
Enjoy.



[1] (online copy) http://www.reed.com/Papers/EndtoEnd.html
[2 (as published by ACM in 1981) J[erome] H. Saltzer, D[avid]. P. Reed,
and D[avid]. D. Clark. End-to-end arguments in system design. ACM
Transactions on Computer Systems 2, 4 (November 1984) pages 277-288. An
earlier version appeared in the Second International Conference on
Distributed Computing Systems (April, 1981) pages 509-512. 
[3 ] (interesting discussion of related issues 20 years later)
http://web.mit.edu/Saltzer/www/publications/endtoend/ANe2ecomment.html 

--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Received on Wednesday, 15 November 2006 21:22:01 UTC