Re: [apps-discuss] [websec] [kitten] [saag] HTTP authentication: the next generation
Yoav Nir <ynir@checkpoint.com> Mon, 13 December 2010 13:07 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6DB528C0DC; Mon, 13 Dec 2010 05:07:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.611
X-Spam-Level:
X-Spam-Status: No, score=-9.611 tagged_above=-999 required=5 tests=[AWL=0.988, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbzEQ2t+Rgvk; Mon, 13 Dec 2010 05:07:01 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 6A0423A6DA5; Mon, 13 Dec 2010 05:07:01 -0800 (PST)
X-CheckPoint: {4D061AD6-A-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id oBDD8b6B008607; Mon, 13 Dec 2010 15:08:37 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 13 Dec 2010 15:08:37 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Carsten Bormann <cabo@tzi.org>
Date: Mon, 13 Dec 2010 15:08:40 +0200
Thread-Topic: [websec] [kitten] [apps-discuss] [saag] HTTP authentication: the next generation
Thread-Index: AcuaxtqbIpwUgQEmQVSWqnfszltQeg==
Message-ID: <5D5AF795-22AB-4726-B791-3706693466C3@checkpoint.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <4D054041.7010203@cisco.com> <0435D11C-DF55-464D-B23F-F5D114DEE2C3@checkpoint.com> <2229.1292235952.971571@puncture> <4D05FB8F.3070804@qbik.com> <2229.1292239384.281779@puncture> <96517E19-5DC7-47A0-8C21-C710F6F8F772@tzi.org>
In-Reply-To: <96517E19-5DC7-47A0-8C21-C710F6F8F772@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 13 Dec 2010 09:51:14 -0800
Cc: General discussion of application-layer protocols <apps-discuss@ietf.org>, websec <websec@ietf.org>, - Next Generation <kitten@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>, Common, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [apps-discuss] [websec] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 13:07:03 -0000
On Dec 13, 2010, at 2:14 PM, Carsten Bormann wrote: > On Dec 13, 2010, at 12:23, Dave Cridland wrote: > >> every webapp currently uses a form > > Yes. Nice demonstration of conflicting requirements. > > As a webapp developer, I want to control the user interface during authentication. > Leaving the user alone with the bland and unforgiving browser user interface for HTTP auth is suicide. > I want to provide extra buttons for forgotten passwords, maybe even password hints, and a "sign up" method. > HTML/CSS/JS lends itself well to providing such a friendly user interface. Yes. That's a big part of the problem. To get the security result we're looking for, the login field has to be clearly marked. A user should never be allowed to make the mistake of thinking that a regular input field is actually the password field. With Basic Auth you get some very distinctive clues (like the sheet in Safari). So if we invent <input type="password_2.0" />, how can the browser show it that would not be possible to replicate with HTML/CSS/JS ? > > As a security geek, I recognize this as exactly the problem that creates the potential for phishing. > Having the user type credentials into a random form is never going to be secure, HSTS notwithstanding. Agree. > Maybe the only way to address both requirements is to have something in HTML/CSS/JS that addresses authentication interactions. > Replacing <input type="password"/> for the 21st century. This would allow web app designers to design a nice context for this interaction, and would allow running security protocols that are binding themselves to a browser-server security association that may be identical to or different from the TLS envelope. "Storing passwords" in the browser might turn into storing those security associations. I don't think the security requirements can be met using this (although I'd love to hear differently from browser people). Maybe if we could customize the authentication dialog with some kind of icon (like favicon), and maybe a frame or a div with some HTML elements (buttons, links). I am not a UI expert (IANAUIE ?) but I think it's important that user authentication be quite distinct from the rest of the flow. IOW the user should know that at this point, she is not just surfing, but actually authenticating to a particular server, and if she's ever presented with some web form that says "username:_______ password:_______" she's going to know that something is wrong. > > This is not "HTTP authentication", but it might be more useful in the long run. > We'll need the browser people to start any such effort. Fully agree. We really need to hear from both browser people and web application developers. No point in designing something really secure if the people in google/amazon/BOA then say "no, we'll never use that" > > Gruesse, Carsten > > PS.: And I'd still like to have some better form of authentication for machine-to-machine that can be independent from the TLS envelope. But that is a completely different animal. > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > Scanned by Check Point Total Security Gateway.
- Re: [apps-discuss] HTTP authentication: the next … Mark Nottingham
- [apps-discuss] HTTP authentication: the next gene… Peter Saint-Andre
- Re: [apps-discuss] [saag] HTTP authentication: th… Paul Hoffman
- Re: [apps-discuss] [kitten] HTTP authentication: … Nicolas Williams
- Re: [apps-discuss] [saag] HTTP authentication: th… Henry B. Hotz
- Re: [apps-discuss] [websec] HTTP authentication: … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Luke Howard
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yaron Sheffer
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Roy T. Fielding
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Carsten Bormann
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [websec] HTTP authentication: … Julian Reschke
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Adrien de Croy
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Alan DeKok
- Re: [apps-discuss] [websec] [saag] HTTP authentic… Ben Laurie
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Raggett
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yaron Sheffer
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Yoav Nir
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yoav Nir
- Re: [apps-discuss] [http-auth] [websec] [saag] [k… Henry B. Hotz
- Re: [apps-discuss] [http-auth] [websec] [saag] HT… Henry B. Hotz
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Steven Bellovin
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [http-auth] [websec] HTTP auth… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Joel Jaeggli
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Tim
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Adrien de Croy
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Nathan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Adrien de Croy
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Josh Howlett
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Jeffrey Hutzelman
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … David Morris
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Robert Sayre
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Tim
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Theodore Tso