Portal authorization (was: Re: multiplexing -- don't do it)
"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Tue, 10 April 2012 01:33 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1984021F85A0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Apr 2012 18:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.395
X-Spam-Level:
X-Spam-Status: No, score=-3.395 tagged_above=-999 required=5 tests=[AWL=6.904, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3q+mxCORc4uy for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Apr 2012 18:33:34 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 3383821F8562 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 9 Apr 2012 18:33:33 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SHPvz-0008Kr-Ku for ietf-http-wg-dist@listhub.w3.org; Tue, 10 Apr 2012 01:31:51 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <duerst@it.aoyama.ac.jp>) id 1SHPvp-0008K0-7L for ietf-http-wg@listhub.w3.org; Tue, 10 Apr 2012 01:31:41 +0000
Received: from scintmta01.scbb.aoyama.ac.jp ([133.2.253.33]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <duerst@it.aoyama.ac.jp>) id 1SHPvl-0008Hc-3q for ietf-http-wg@w3.org; Tue, 10 Apr 2012 01:31:39 +0000
Received: from scmse01.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta01.scbb.aoyama.ac.jp (secret/secret) with SMTP id q3A1V9vQ011092 for <ietf-http-wg@w3.org>; Tue, 10 Apr 2012 10:31:09 +0900
Received: from (unknown [133.2.206.133]) by scmse01.scbb.aoyama.ac.jp with smtp id 5d6a_3da5_d956d916_82ac_11e1_9684_001d096c566a; Tue, 10 Apr 2012 10:31:08 +0900
Received: from [IPv6:::1] ([133.2.210.1]:36334) by itmail.it.aoyama.ac.jp with [XMail 1.22 ESMTP Server] id <S15B552A> for <ietf-http-wg@w3.org> from <duerst@it.aoyama.ac.jp>; Tue, 10 Apr 2012 10:31:12 +0900
Message-ID: <4F838D59.50304@it.aoyama.ac.jp>
Date: Tue, 10 Apr 2012 10:31:05 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: Jamie Lokier <jamie@shareable.org>
CC: Nicolas Mailhot <nicolas.mailhot@laposte.net>, "\"William Chan (陈智昌)\"" <willchan@chromium.org>, ietf-http-wg@w3.org
References: <4F763DD2.70604@isode.com> <em3e102790-aa55-4d0f-9ff3-39bf0ca77fd3@boist> <CABaLYCvGt=pqwVXaWMMUTyD1Gg=qizRG_WuekC33awBRu53AAQ@mail.gmail.com> <4F76AABF.3010201@gmx.de> <CABaLYCsB+outivXFwj8iFH+dM6XedxwR672Rw7pOhtzj7r6X-A@mail.gmail.com> <loom.20120406T155512-618@post.gmane.org> <CAA4WUYipNcFpigX4MHQHOtM-M0vFBSRjMJLZnpN6GXkPinVNMw@mail.gmail.com> <50b278cb647638c66ee1db0fe1bf8488.squirrel@arekh.dyndns.org> <20120407192933.GA3240@jl-vm1.vm.bytemark.co.uk> <502fe0631a8a28bce027c70c6e733c38.squirrel@arekh.dyndns.org> <20120409151210.GC3240@jl-vm1.vm.bytemark.co.uk>
In-Reply-To: <20120409151210.GC3240@jl-vm1.vm.bytemark.co.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Received-SPF: none client-ip=133.2.253.33; envelope-from=duerst@it.aoyama.ac.jp; helo=scintmta01.scbb.aoyama.ac.jp
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: lisa.w3.org 1SHPvl-0008Hc-3q fad9195a6061646d5834b443000bc1b2
X-Original-To: ietf-http-wg@w3.org
Subject: Portal authorization (was: Re: multiplexing -- don't do it)
Archived-At: <http://www.w3.org/mid/4F838D59.50304@it.aoyama.ac.jp>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/13413
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1SHPvz-0008Kr-Ku@frink.w3.org>
Resent-Date: Tue, 10 Apr 2012 01:31:51 +0000
Hello Jamie, others, Mark had a draft on this, http://tools.ietf.org/html/draft-nottingham-http-portal-02. I'm not sure why it didn't move forward. Regards, Martin. On 2012/04/10 0:12, Jamie Lokier wrote: > Nicolas Mailhot wrote: >> >> Le Sam 7 avril 2012 21:29, Jamie Lokier a écrit : >>> Nicolas Mailhot wrote: >> >>>> The proposal has been made many times in browser bug trackers. It's always >>>> basically: >>>> 1. web client requests a web page >>>> 2. gateway responds web client is not authorized (or authorized anymore) to >>>> access this url, and specifies the address of its authentication page >>>> 3. web client displays this address (if it's a dumb client like curl) or >>>> renders it (if it's a browser) >>>> 4. user authenticates >>>> 5. web client retries its first request and now it works >>>> >>>> Happiness ensues as the user gets its page, the admin is not yelled at, and >>>> corporate filtering is enforced. >>> >>> That's quite broken if the request is an AJAX update or something >>> like that from an existing page on their browser, such as a page >>> they've kept open from before, or resumed from a saved session, or as >>> you say not authorized any more (presumably were earlier). >> >> No that's not quite broken that's the only way it can work. >> >> Please admit that on restricted networks access to some external sites >> requires authorization. That this authorization won't be eternal for basic >> security reasons. That due to hibernation/resume/client mobility/plain >> equipment maintenance this authorization will need to be acquired or >> reacquired at any point in the web client browsing. > > I'm not arguing against the authorization requirement. > > I'm only saying that your "happiness ensues" conclusion is false, as > you did say the proposal is always basically the same, and in my > personal experience as an end user, it's horrible already. > >> That means yes you do need to handle ajax updates, >> mid-of-tls-interruptions, and all the difficult use cases. The user >> is not going to oblige you by restricting himself to the simple use >> cases when auth needs reacquiring Because if web clients don't >> handle those, the gateway will always have the option to block the >> access. And make no mistake it will and does exercise it. > > Right. But the web client _can't_ handle those cases, because the > gateway is injecting a fake redirect, the gateway doesn't know what > it's interrupting, and the result is just like a normal page, not an > error page or special signal to the browser asking for authorization. > >> The refusal to handle those cases so far has resulted in : >> 1. broken hotel/conference captive portals >> 2. widespread availability of TLS interception in proxy manufacturer catalogs >> 3. corporations getting stuck on old insecure browser versions because the >> newer ones 'security' hardening broke their proxies >> 4. corporations hand-patching newer browser releases to restore the old >> 'redirection on https works' behaviour >> >> And in all those cases, who were the first to suffer? The users. If you'd poll >> them the vast majority would care *nothing* about the https cleanliness model, >> privacy, etc. Not as long that means they have a broken browsing experience >> everyday long. > > Here's what happens in the old style: I connect to > corporate/hotel/cafe network. Then I dread starting Firefox because > my last 50 open tabs will start up and _all_ redirect to the portal's > Wifi login page. I get 50 stupid login pages, and lose the original > state. > > If I'm paying attention, I start Firefox _before_ connecting to the > network, wait for it to start in offline mode and load the 50 tabs > correctly, and then connect to the network. > > But still, those pages which are using AJAX polling start doing random > things, as their Javascript gets something random it wasn't expecting. > > These days I resort to running w3m (a Lynx-like text-only browser) to > go the proxy's login page first. But that's increasingly broken too, > as some Wifi login pages have stopped being normal forms, and only > work in a fully fledged graphical browser with Javascript enabled, to > "simulate" form fieleds. Don't ask me why. All I know is the model > you are pushing is broken enough with HTTP. > > So my objection to the classical approach to authorization by > redirecting everything has nothing to do with security, or even HTTPS, > and everything to do with the user experience. > > What would work much is if the browser got a response meaning "you > will need to authorize before the original request can proceed - open > [URL] to present an authorization page", and do not consider the > original request to have completed yet. > > Intercepting proxies could do that with HTTP or HTTPS or HTTP/2.0 if > there's a standard signal for it, *without* having to break the > security model or mislead any users. It would be a nicer experience > for everyone. > > -- Jamie > >
- Re: multiplexing -- don't do it Adrien W. de Croy
- multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it Brian Pane
- Re: multiplexing -- don't do it J Ross Nicoll
- Re: multiplexing -- don't do it Mike Belshe
- RE: multiplexing -- don't do it Peter L
- RE: multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it Brian Pane
- Re: multiplexing -- don't do it Roberto Peon
- RE: multiplexing -- don't do it Peter L
- RE: multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Alexey Melnikov
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Julian Reschke
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Poul-Henning Kamp
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Ian Fette (イアンフェッティ)
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Mark Nottingham
- Re: multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it Adam Barth
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Peter Lepeska
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re: Re[2]: multiplexing -- don't do it Peter L
- Re[4]: multiplexing -- don't do it Adrien W. de Croy
- Re: Re[4]: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it Amos Jeffries
- Re: Re[2]: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Amos Jeffries
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Poul-Henning Kamp
- Re: multiplexing -- don't do it Mark Nottingham
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Adrien W. de Croy
- breaking TLS (Was: Re: multiplexing -- don't do i… Stephen Farrell
- Re: multiplexing -- don't do it Roberto Peon
- Re: breaking TLS (Was: Re: multiplexing -- don't … Adrien W. de Croy
- Re: breaking TLS (Was: Re: multiplexing -- don't … Roberto Peon
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it Ray Polk
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it Mark Nottingham
- Re: breaking TLS (Was: Re: multiplexing -- don't … Stephen Farrell
- Re: multiplexing -- don't do it J Ross Nicoll
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Adrien W. de Croy
- Re: breaking TLS (Was: Re: multiplexing -- don't … Adrien W. de Croy
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: breaking TLS (Was: Re: multiplexing -- don't … Mike Belshe
- Re: multiplexing -- don't do it Robert Collins
- Re: breaking TLS (Was: Re: multiplexing -- don't … Stephen Farrell
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re: breaking TLS (Was: Re: multiplexing -- don't … William Chan (陈智昌)
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re[3]: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it patrick mcmanus
- Re: Re[3]: multiplexing -- don't do it Robert Collins
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: breaking TLS (Was: Re: multiplexing -- don't … Stephen Farrell
- Re: multiplexing -- don't do it Amos Jeffries
- Re: multiplexing -- don't do it Stephen Farrell
- Re: multiplexing -- don't do it Amos Jeffries
- Re: breaking TLS (Was: Re: multiplexing -- don't … William Chan (陈智昌)
- Re: breaking TLS (Was: Re: multiplexing -- don't … Stephen Farrell
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it patrick mcmanus
- Re: breaking TLS (Was: Re: multiplexing -- don't … Amos Jeffries
- Re[2]: breaking TLS (Was: Re: multiplexing -- don… Adrien W. de Croy
- Re: breaking TLS (Was: Re: multiplexing -- don't … Martin Thomson
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Stephen Farrell
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re: breaking TLS (Was: Re: multiplexing -- don't … Willy Tarreau
- Re: multiplexing -- don't do it Mike Belshe
- proxy config (was Re: multiplexing -- don't do it) Daniel Stenberg
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it J Ross Nicoll
- Re: multiplexing -- don't do it Stephen Farrell
- Re: breaking TLS (Was: Re: multiplexing -- don't … Henry Story
- Re: multiplexing -- don't do it Mike Belshe
- RE: proxy config (was Re: multiplexing -- don't d… Eric Lawrence
- Re: multiplexing -- don't do it Roy T. Fielding
- Re: multiplexing -- don't do it Poul-Henning Kamp
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Poul-Henning Kamp
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Willy Tarreau
- Re: multiplexing -- don't do it Patrick McManus
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it Peter L
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it William Chan (陈智昌)
- options or protocols? Eliot Lear
- Re: options or protocols? Adrien W. de Croy
- Re: options or protocols? Willy Tarreau
- Re: options or protocols? Adrien W. de Croy
- Re: options or protocols? Willy Tarreau
- Re: options or protocols? Adrien de Croy
- Re: options or protocols? William Chan (陈智昌)
- Re: options or protocols? Willy Tarreau
- Re: multiplexing -- don't do it Patrick McManus
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it Jon Leighton
- Re: multiplexing -- don't do it Roberto Peon
- Re: multiplexing -- don't do it Peter Lepeska
- Re: breaking TLS (Was: Re: multiplexing -- don't … Nicolas Mailhot
- HTTP -> Messages -> Transport factoring Mark Nottingham
- Re: HTTP -> Messages -> Transport factoring Mike Belshe
- Re: multiplexing -- don't do it Mike Belshe
- RE: HTTP -> Messages -> Transport factoring Henrik Frystyk Nielsen
- Re: HTTP -> Messages -> Transport factoring Mark Nottingham
- Re: multiplexing -- don't do it Jon Leighton
- Re: HTTP -> Messages -> Transport factoring Poul-Henning Kamp
- Re: HTTP -> Messages -> Transport factoring Willy Tarreau
- Re: HTTP -> Messages -> Transport factoring Willy Tarreau
- Re: HTTP -> Messages -> Transport factoring Carsten Bormann
- Re: HTTP -> Messages -> Transport factoring Poul-Henning Kamp
- Re: HTTP -> Messages -> Transport factoring Carsten Bormann
- Re: options or protocols? Adrien de Croy
- Re: HTTP -> Messages -> Transport factoring Mike Belshe
- Re: HTTP -> Messages -> Transport factoring David Morris
- Re: HTTP -> Messages -> Transport factoring Mike Belshe
- Re: multiplexing -- don't do it Nicolas Mailhot
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: breaking TLS (Was: Re: multiplexing -- don't … Nicolas Mailhot
- Re: breaking TLS (Was: Re: multiplexing -- don't … William Chan (陈智昌)
- Re: multiplexing -- don't do it Nicolas Mailhot
- Re: breaking TLS (Was: Re: multiplexing -- don't … Nicolas Mailhot
- Re: breaking TLS (Was: Re: multiplexing -- don't … Mike Belshe
- Re: multiplexing -- don't do it Mike Belshe
- Re: multiplexing -- don't do it Nicolas Mailhot
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: breaking TLS (Was: Re: multiplexing -- don't … Stephen Farrell
- Re: multiplexing -- don't do it Stephen Farrell
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it Stephen Farrell
- Re: multiplexing -- don't do it William Chan (陈智昌)
- Re: multiplexing -- don't do it Poul-Henning Kamp
- Re: multiplexing -- don't do it Roberto Peon
- RE: multiplexing -- don't do it Henrik Frystyk Nielsen
- Re: multiplexing -- don't do it Stephen Farrell
- Re: multiplexing -- don't do it Nicolas Mailhot
- Re: multiplexing -- don't do it Willy Tarreau
- Re: breaking TLS (Was: Re: multiplexing -- don't … Willy Tarreau
- Re: breaking TLS (Was: Re: multiplexing -- don't … Roberto Peon
- Re: breaking TLS (Was: Re: multiplexing -- don't … Stephen Farrell
- Re: breaking TLS (Was: Re: multiplexing -- don't … Willy Tarreau
- Re: breaking TLS (Was: Re: multiplexing -- don't … Poul-Henning Kamp
- Re: breaking TLS (Was: Re: multiplexing -- don't … Willy Tarreau
- Re: breaking TLS (Was: Re: multiplexing -- don't … Daniel Stenberg
- Re: breaking TLS (Was: Re: multiplexing -- don't … Poul-Henning Kamp
- Re: breaking TLS (Was: Re: multiplexing -- don't … Roberto Peon
- Re: multiplexing -- don't do it tom
- Re: multiplexing -- don't do it tom
- Re: multiplexing -- don't do it patrick mcmanus
- Re: multiplexing -- don't do it tom
- Re: multiplexing -- don't do it Jamie Lokier
- Re: multiplexing -- don't do it Jamie Lokier
- Re: multiplexing -- don't do it David Morris
- Re: multiplexing -- don't do it Peter Lepeska
- Re: multiplexing -- don't do it Roberto Peon
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re[2]: multiplexing -- don't do it Adrien W. de Croy
- Re: Re[2]: multiplexing -- don't do it Poul-Henning Kamp
- Re[4]: multiplexing -- don't do it Adrien W. de Croy
- Re: multiplexing -- don't do it Nicolas Mailhot
- Re: multiplexing -- don't do it Jamie Lokier
- Portal authorization (was: Re: multiplexing -- do… Martin J. Dürst
- Re: multiplexing -- don't do it Nicolas Mailhot
- Re: Portal authorization (was: Re: multiplexing -… Nicolas Mailhot
- Re: Portal authorization (was: Re: multiplexing -… Nicolas Mailhot
- Re: Portal authorization Julian Reschke
- Re: Portal authorization Julian Reschke
- Re: Portal authorization Nicolas Mailhot
- Re: Portal authorization Julian Reschke
- Re: multiplexing -- don't do it Salvatore Loreto
- Re: multiplexing -- don't do it Amos Jeffries
- Re: Portal authorization Amos Jeffries