Re: [apps-discuss] [websec] [kitten] [saag] HTTP authentication: the next generation

Tim <> Thu, 06 January 2011 16:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A934B3A6E25 for <>; Thu, 6 Jan 2011 08:31:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DBcOmS3R6LzY for <>; Thu, 6 Jan 2011 08:31:15 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 52DA73A6C4F for <>; Thu, 6 Jan 2011 08:31:15 -0800 (PST)
Received: (qmail 3319 invoked from network); 6 Jan 2011 16:28:47 -0000
Received: from unknown (HELO ( by with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 Jan 2011 16:28:47 -0000
Received: (qmail 23661 invoked from network); 6 Jan 2011 16:29:18 -0000
Received: from ( by with SMTP; 6 Jan 2011 16:29:18 -0000
Received: (nullmailer pid 15198 invoked by uid 1000); Thu, 06 Jan 2011 16:25:59 -0000
Date: Thu, 06 Jan 2011 08:25:59 -0800
From: Tim <>
To: Ben Laurie <>
Message-ID: <>
References: <p06240809c928635499e8@> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Mailman-Approved-At: Thu, 06 Jan 2011 08:36:36 -0800
Cc: "" <>, "Roy T. Fielding" <>, websec <>, Robert Sayre <>, "" <>, "" <>, "" <>, " Group" <>
Subject: Re: [apps-discuss] [websec] [kitten] [saag] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Jan 2011 16:31:15 -0000

> 1. The IETF has fixed the problem, but no-one is using the fix - perhaps
> because it is not clear that it is the fix. I speak of RFC 4279, TLS
> pre-shared keys. These could be derived from a hash of the password and the
> site name, for example, and thus provide secure mutual authentication
> despite password reuse.
> 2. I have often heard (though I am not aware of hard evidence for this,
> nevertheless I find it plausible) that one reason no-one has bothered to
> improve HTTP auth is because no-one would use it since site owners want to
> control the user experience around signin. It seems to me, therefore, that
> HTTP is the wrong layer to fix the problem at - it needs to be pushed down
> into HTML or Javascript so that the page can control the look, while
> appropriate HTML elements or JS code can deal with the secure exchange of
> data.

Yes, the user experience piece is definitely the biggest adoption
problem for HTTP auth, IMO.  However, I disagree that HTTP is the
wrong layer.  It has already been shown (by myself and others) that
using HTTP authentication and controlling the user experience can
largely be achieved already.  A few tweaks to browser 401 response
behavior (which doesn't require standards changes) and the ability for
servers to force a log out are all that's left to provide to make
this reliable.

As for RFC 4279, I'm not really familiar with it, but I imagine the
mechansims which allow for user experience customization right now
with HTTP auth could easily be extended to any TLS authentication
mechansim.  The only requirement there would be to add some simple
language allowing for this behavior in [1].  That is, allow
XMLHttpRequest objects to hand the credentials they already accept off
to the TLS layer, either for RFC 4279 or for SRP/TLS.  

> Of course, this still leaves the issue of trusted path: although we can
> provide elements which are safe to use, even when being phished, how does
> the user know those elements are actually being used, rather than simulated
> so as to get hold of the underlying password?
> The answer to this problem is hard, since it brings us back to taking the UI
> out of the sites hands.

Yes, so what I've outlined above and elsewhere is a relatively simple
transition path to allow adoption of better authentication standards
with customizable user interfaces.  But those are problematic by
design.  However, I'd assert that moving web applications off of
cookies to some lower-layer mechanism is going to be a required first
step in order to provide authentication prompts that are part of the
browser, for those who need that security.