Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Ben Laurie <benl@google.com> Fri, 14 January 2011 09:57 UTC

Return-Path: <benl@google.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8B973A6AC9 for <apps-discuss@core3.amsl.com>; Fri, 14 Jan 2011 01:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.736
X-Spam-Level:
X-Spam-Status: No, score=-103.736 tagged_above=-999 required=5 tests=[AWL=-0.759, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NGfUYNioMABE for <apps-discuss@core3.amsl.com>; Fri, 14 Jan 2011 01:57:59 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by core3.amsl.com (Postfix) with ESMTP id E2B873A6A0D for <apps-discuss@ietf.org>; Fri, 14 Jan 2011 01:57:56 -0800 (PST)
Received: from kpbe11.cbf.corp.google.com (kpbe11.cbf.corp.google.com [172.25.105.75]) by smtp-out.google.com with ESMTP id p0EA0KUE024965 for <apps-discuss@ietf.org>; Fri, 14 Jan 2011 02:00:20 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1294999221; bh=4HjEKMmA6PPVeYrCzXGB9XJoaJc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=ku1dye3cK8J2LuGDWh2s2F5CiKiqDwelNTN3jW0GmSOUBEBd0QpGqNkcbReNbv7ek 3vrYo093/UqwUfoB+dwDw==
Received: from qwa26 (qwa26.prod.google.com [10.241.193.26]) by kpbe11.cbf.corp.google.com with ESMTP id p0EA0IwC027482 for <apps-discuss@ietf.org>; Fri, 14 Jan 2011 02:00:19 -0800
Received: by qwa26 with SMTP id 26so2542252qwa.19 for <apps-discuss@ietf.org>; Fri, 14 Jan 2011 02:00:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=pOv0POGRSp4j8mzD5VRvAxYScXGJeD+JAQmTzfFsha8=; b=QlnWNTYdpnVqArTKVax8JGp+chiH908UHFXhpfKJHxQ9pdwSR1UnDQoKzHvmANLchD riQVXwbbQy5wyTvopi9Q==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Q42xBptqqqWzKPqxAdm9MCgsaqciCJPxGka8QYv4t96iB5eQwqPkGq1k2ZkcK6qwBU uC7s/RdAorxzTno2ce0Q==
MIME-Version: 1.0
Received: by 10.229.95.11 with SMTP id b11mr537655qcn.28.1294999218581; Fri, 14 Jan 2011 02:00:18 -0800 (PST)
Received: by 10.220.88.137 with HTTP; Fri, 14 Jan 2011 02:00:18 -0800 (PST)
In-Reply-To: <E1PdZLM-0001Nu-MT@login01.fos.auckland.ac.nz>
References: <4D2A239C.6040801@extendedsubset.com> <E1PdZLM-0001Nu-MT@login01.fos.auckland.ac.nz>
Date: Fri, 14 Jan 2011 10:00:18 +0000
Message-ID: <AANLkTi=9Uqk0bCt1k+gux6n3H9xU-br3nz5gnL6p-wdP@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Mailman-Approved-At: Fri, 14 Jan 2011 10:22:37 -0800
Cc: apps-discuss@ietf.org, dwm@xpasc.com, websec@ietf.org, marsh@extendedsubset.com, kitten@ietf.org, zedshaw@zedshaw.com, http-auth@ietf.org, ietf-http-wg@w3.org, hallam@gmail.com, saag@ietf.org
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2011 09:57:59 -0000

On 14 January 2011 02:24, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> Marsh Ray <marsh@extendedsubset.com> writes:
>
>>Phishing can be said to have been prevented only when the user can be relied
>>upon to refuse to enter his password into an insecure box.
>
> I think you need to phrase that more generally, "when the user can be relied
> upon to not authenticate to the wrong site", because there's more ways of
> authenticating around than just typing a string into a web form.  For example
> some password managers do site-specifc passwords, so even if you go to the
> wrong site you can't accidentally provide your credentials for the correct
> site.

That phrasing is only correct if the authentication method leaks the password...

>
>>For example, my bank asks for my username and then shows me a familiar
>>picture (e.g., a rocking horse) that is supposed to prevent phishing. This
>>stops phishing only in the sense that it requires the attacker to use a CGI
>>proxy app rather than simple static phishing site.
>
> ... or display a broken-image GIF, or a message that the award-winning
> security whatsit is being upgraded and will be back soon, or ...
>
> (this is from a real-world evaluation of the (in-)effectiveness of site
> images, I can dig up the ref if required).  Site images rate more as a
> security gimmick than any real security measure.

Exactly.