Re: [apps-discuss] [http-auth] [saag] [websec] [kitten] HTTP authentication: the next generation

[Marsh Ray <marsh@extendedsubset.com>]

On 12/16/2010 12:27 PM, der Mouse wrote:
>
> Quite aside from memorizability, few-to-no humans are capable of
> performing the cryptographic operations (large-number arithmetic,
> usually) necessary to carry out certificate operations, at least not
> with the required levels of reliability.  (I can do multi-hundred-digit
> arithmetic, yes, but not nearly either fast enough or free enough of
> mistakes to be useful for the purpose.)

Which is a good argument for it being an example of something a computer 
is better at. Many auth systems have a component which involves 
something humans are good at and computers are lousy at.

> Certificates, at best, determine that some device which is capable of
> performing the cryptographic operations has been given access to the
> corresponding private data....   All passwords demonstrate is
> that some device capable of injecting data into the comm channel in
> question knows the password.

That's a good way to describe it.

> But passwords rarely lull people into
> forgetting the difference.

Pen-and-paper signatures work because people have thousands of years of 
history behind pen technology. It fits well the courtroom test "did you 
or did you not sign that document". It surely happens, but is extremely 
rare that someone who actually signed a contract would later claim that 
it was a forgery, or that their pen and paper were compromised by an 
attacker.

>> For most systems, the vast majority of 'no's are not actual attacks.
>
> Are you sure of that?  There are an awful lot of doorknob-rattlers out
> there.  Most of the login failures I see on my machines actually _are_
> attackers poking to see if I've made stupid mistakes.

OK so there's a baseline attack rate for any given port number. If you 
use the system infrequently enough, attackers outweigh the legitimate users.

But, for example, I personally mistype my password about 10 to 25% of 
the time. That's a correct 'authentication denied' scenario but it's not 
an attack. Systems with a meaningful amount of legitimate activity, and 
are not specially targeted for some reason, are going to have many more 
mistyped passwords than credible attacks.

>> Yeah.  How did the user select their password for the website in the
>> first place, if not by an HTML form POST?
>
>> If it was good enough for the initial sign up, why should the web
>> designer use something other than HTML form POST for the regular
>> login?
>
> For all that that's rhetorical, there is an answer: because one occurs
> only once while the other occurs many times.

I bet for a lot of systems, people sign up once and try it out then go 
away and leave their accounts dormant. E.g., I might create an account 
to buy tickets for something and never go back.

So why can't the attacker attack it that one time then?

You've never signed up for a new account from a hotel or a public wifi?

Even still, how do you convince a web designer that they must give up 
their HTML login form for security when they have an HTML login form to 
choose the password in the first place?

- Marsh