Re: [secdir] secdir review of draft-ietf-httpauth-basicauth-update-06 -- transition strategy for charset parameter
Julian Reschke <julian.reschke@gmx.de> Fri, 20 February 2015 15:50 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 052751A8781; Fri, 20 Feb 2015 07:50:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLRrBy2pR4vE; Fri, 20 Feb 2015 07:50:02 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E62941A8547; Fri, 20 Feb 2015 07:50:01 -0800 (PST)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M7HGA-1Xapi23egY-00x41H; Fri, 20 Feb 2015 16:49:37 +0100
Message-ID: <54E75788.2020809@gmx.de>
Date: Fri, 20 Feb 2015 16:49:28 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, draft-ietf-httpauth-basicauth-update.all@tools.ietf.org
References: <874mqjd49v.fsf@alice.fifthhorseman.net> <54E50FC3.9080708@gmx.de> <871tllbw2c.fsf@alice.fifthhorseman.net> <54E6348A.3080606@gmx.de> <87mw49ac9h.fsf@alice.fifthhorseman.net>
In-Reply-To: <87mw49ac9h.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:nybL+O+WEV2E2oNVzXd3cY33aepJfgT07Yvq4oqwF7jfr+B6Y3M cgvgO7JvmjavSGkYaPWC3LlBVbdpz3DwtN9weSTpNnPjmGZPI7SQeo0ErZwqKAteO5/SEPL qGsfOzcF0Qy1RNc3pvsU/6vVy5HPPXgdRQkFUWQLTT0CvsCMTxEbnPG0jQ+uaBKKQXNY/p3 fTtXyHhQJi+zaT+mVuC3g==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/TMcP2kIS8NIEVmzcwc9BFsvytAw>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-httpauth-basicauth-update-06 -- transition strategy for charset parameter
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 15:50:04 -0000
On 2015-02-19 21:15, Daniel Kahn Gillmor wrote:
> ...
>> That being said, the heuristics are quite simple: try to decode the
>> octets with a strict UTF-8 decoder, and if that doesn't fail the input
>> was likely encoded in UTF-8.
>
> Some binary strings are valid in both character encodings, though,
> right? For example, "c3 a1 62 63" in UTF-8 is "ábc", but in ISO-8859-1,
> it is "ábc" So if my password is non-ASCII in the first place, it could
> very well match the UTF-8 encoding even though i've intended another
> one.
>
> So maybe the heuristic should be: even if the UTF-8 decode succeeds, the
> server could try its fallback decoding mechanism if the UTF-8 version of
> the password doesn't match. (fwiw, my understanding is that facebook
> checks common accidental variations on the entered password during their
> (non-basic-auth) login process. so if my password is b4nanAs, but i
> type B4NANaS or b5nanAs, facebook might let me in anyway)
>
> Is this advisable? What are the risks of testing two variants of the
> password against the password table? I haven't thought this through
> fully, but it seems like it would be a relevant consideration.
>
> In the absence of a signal from the client about their choice of
> encoding, documenting these heuristics and recommending them seems like
> a useful way to facilitate adoption and uniformity among servers
> implementing this spec.
> ...
I looked at this some more, and it seems that the general question
applies to the third paragraph in B.2
(<http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-update-06.html#rfc.section.B.2.p.3>):
Finally, origin servers that need to support non-US-ASCII characters
and can use the UTF-8 character encoding scheme can opt in as
described above. In the worst case, they'll continue to see either
broken credentials or no credentials at all (depending on how legacy
clients handle characters they cannot encode).
I propose to expand the problem description, and to mention that servers
that need to support a mix of clients can attempt a "try both" strategy:
Finally, origin servers that need to support non-US-ASCII characters
and can use the UTF-8 character encoding scheme can opt in by
specifying the charset parameter in the authentication challenge.
Clients that do understand the charset parameter will then start to
use UTF-8, while other clients will continue to send credentials in
their default encoding, broken credentials, or no credentials at all.
Until all clients are upgraded to support UTF-8, servers are likely
to see both UTF-8 and "legacy" encodings in requests. When
processing as UTF-8 fails (due to a failure to decode as UTF-8 or a
mismatch of user-id/password), a server might try a fallback to the
previously supported legacy encoding in order to accomodate these
legacy clients. Note that implicit retries need to be done
carefully; for instance, some subsystems might detect repeated login
failures and treat them as potential credentials guessing attack.
(<http://trac.tools.ietf.org/wg/httpauth/trac/changeset/129>).
WDYT?
Best regards, Julian
PS: slightly related: this section talks about origin servers instead of
servers (-> proxy authentication); I'll fix that as well.
- [secdir] secdir review of draft-ietf-httpauth-bas… Daniel Kahn Gillmor
- Re: [secdir] secdir review of draft-ietf-httpauth… Julian Reschke
- Re: [secdir] secdir review of draft-ietf-httpauth… Julian Reschke
- Re: [secdir] secdir review of draft-ietf-httpauth… Daniel Kahn Gillmor
- Re: [secdir] secdir review of draft-ietf-httpauth… Julian Reschke
- Re: [secdir] secdir review of draft-ietf-httpauth… Daniel Kahn Gillmor
- Re: [secdir] secdir review of draft-ietf-httpauth… Julian Reschke
- Re: [secdir] [http-auth] secdir review of draft-i… Bjoern Hoehrmann
- Re: [secdir] [http-auth] secdir review of draft-i… Kathleen Moriarty
- Re: [secdir] [http-auth] secdir review of draft-i… Kathleen Moriarty
- Re: [secdir] [http-auth] secdir review of draft-i… Roy T. Fielding
- Re: [secdir] [http-auth] secdir review of draft-i… Daniel Kahn Gillmor
- Re: [secdir] [http-auth] secdir review of draft-i… Roy T. Fielding
- Re: [secdir] secdir review of draft-ietf-httpauth… Julian Reschke
- [secdir] secdir review of draft-ietf-httpauth-bas… Julian Reschke
- [secdir] [http-auth] secdir review of draft-ietf-… Julian Reschke
- Re: [secdir] secdir review of draft-ietf-httpauth… Julian Reschke