Re: [apps-discuss] [websec] [kitten] [saag] HTTP authentication: the next generation

Yoav Nir <> Mon, 13 December 2010 13:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D6DB528C0DC; Mon, 13 Dec 2010 05:07:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.611
X-Spam-Status: No, score=-9.611 tagged_above=-999 required=5 tests=[AWL=0.988, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QbzEQ2t+Rgvk; Mon, 13 Dec 2010 05:07:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6A0423A6DA5; Mon, 13 Dec 2010 05:07:01 -0800 (PST)
X-CheckPoint: {4D061AD6-A-1B221DC2-2FFFF}
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id oBDD8b6B008607; Mon, 13 Dec 2010 15:08:37 +0200
Received: from ([]) by ([]) with mapi; Mon, 13 Dec 2010 15:08:37 +0200
From: Yoav Nir <>
To: Carsten Bormann <>
Date: Mon, 13 Dec 2010 15:08:40 +0200
Thread-Topic: [websec] [kitten] [apps-discuss] [saag] HTTP authentication: the next generation
Thread-Index: AcuaxtqbIpwUgQEmQVSWqnfszltQeg==
Message-ID: <>
References: <> <p06240809c928635499e8@[]> <> <> <> <> <> <> <> <> <2229.1292235952.971571@puncture> <> <2229.1292239384.281779@puncture> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 13 Dec 2010 09:51:14 -0800
Cc: General discussion of application-layer protocols <>, websec <>, - Next Generation <>, " Group" <>, "" <>, Common, "" <>
Subject: Re: [apps-discuss] [websec] [kitten] [saag] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Dec 2010 13:07:03 -0000

On Dec 13, 2010, at 2:14 PM, Carsten Bormann wrote:

> On Dec 13, 2010, at 12:23, Dave Cridland wrote:
>> every webapp currently uses a form
> Yes.  Nice demonstration of conflicting requirements.
> As a webapp developer, I want to control the user interface during authentication.
> Leaving the user alone with the bland and unforgiving browser user interface for HTTP auth is suicide.
> I want to provide extra buttons for forgotten passwords, maybe even password hints, and a "sign up" method.
> HTML/CSS/JS lends itself well to providing such a friendly user interface.

Yes. That's a big part of the problem. To get the security result we're looking for, the login field has to be clearly marked. A user should never be allowed to make the mistake of thinking that a regular input field is actually the password field. With Basic Auth you get some very distinctive clues (like the sheet in Safari).  So if we invent <input type="password_2.0" />, how can the browser show it that would not be possible to replicate with HTML/CSS/JS ?

> As a security geek, I recognize this as exactly the problem that creates the potential for phishing.
> Having the user type credentials into a random form is never going to be secure, HSTS notwithstanding.


> Maybe the only way to address both requirements is to have something in HTML/CSS/JS that addresses authentication interactions.
> Replacing <input type="password"/> for the 21st century.  This would allow web app designers to design a nice context for this interaction, and would allow running security protocols that are binding themselves to a browser-server security association that may be identical to or different from the TLS envelope.  "Storing passwords" in the browser might turn into storing those security associations.

I don't think the security requirements can be met using this (although I'd love to hear differently from browser people). Maybe if we could customize the authentication dialog with some kind of icon (like favicon), and maybe a frame or a div with some HTML elements (buttons, links).  I am not a UI expert (IANAUIE ?) but I think it's important that user authentication be quite distinct from the rest of the flow. IOW the user should know that at this point, she is not just surfing, but actually authenticating to a particular server, and if she's ever presented with some web form that says "username:_______ password:_______" she's going to know that something is wrong.

> This is not "HTTP authentication", but it might be more useful in the long run.
> We'll need the browser people to start any such effort.

Fully agree. We really need to hear from both browser people and web application developers. No point in designing something really secure if the people in google/amazon/BOA then say "no, we'll never use that"

> Gruesse, Carsten
> PS.: And I'd still like to have some better form of authentication for machine-to-machine that can be independent from the TLS envelope.  But that is a completely different animal.
> _______________________________________________
> websec mailing list
> Scanned by Check Point Total Security Gateway.