Re: [secdir] secdir review of draft-ietf-httpauth-basicauth-update-06 -- transition strategy for charset parameter

Julian Reschke <julian.reschke@gmx.de> Fri, 20 February 2015 15:50 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 052751A8781; Fri, 20 Feb 2015 07:50:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLRrBy2pR4vE; Fri, 20 Feb 2015 07:50:02 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E62941A8547; Fri, 20 Feb 2015 07:50:01 -0800 (PST)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M7HGA-1Xapi23egY-00x41H; Fri, 20 Feb 2015 16:49:37 +0100
Message-ID: <54E75788.2020809@gmx.de>
Date: Fri, 20 Feb 2015 16:49:28 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, draft-ietf-httpauth-basicauth-update.all@tools.ietf.org
References: <874mqjd49v.fsf@alice.fifthhorseman.net> <54E50FC3.9080708@gmx.de> <871tllbw2c.fsf@alice.fifthhorseman.net> <54E6348A.3080606@gmx.de> <87mw49ac9h.fsf@alice.fifthhorseman.net>
In-Reply-To: <87mw49ac9h.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:nybL+O+WEV2E2oNVzXd3cY33aepJfgT07Yvq4oqwF7jfr+B6Y3M cgvgO7JvmjavSGkYaPWC3LlBVbdpz3DwtN9weSTpNnPjmGZPI7SQeo0ErZwqKAteO5/SEPL qGsfOzcF0Qy1RNc3pvsU/6vVy5HPPXgdRQkFUWQLTT0CvsCMTxEbnPG0jQ+uaBKKQXNY/p3 fTtXyHhQJi+zaT+mVuC3g==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/TMcP2kIS8NIEVmzcwc9BFsvytAw>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-httpauth-basicauth-update-06 -- transition strategy for charset parameter
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 15:50:04 -0000

On 2015-02-19 21:15, Daniel Kahn Gillmor wrote:
> ...
>> That being said, the heuristics are quite simple: try to decode the
>> octets with a strict UTF-8 decoder, and if that doesn't fail the input
>> was likely encoded in UTF-8.
>
> Some binary strings are valid in both character encodings, though,
> right?  For example, "c3 a1 62 63" in UTF-8 is "ábc", but in ISO-8859-1,
> it is "ábc" So if my password is non-ASCII in the first place, it could
> very well match the UTF-8 encoding even though i've intended another
> one.
>
> So maybe the heuristic should be: even if the UTF-8 decode succeeds, the
> server could try its fallback decoding mechanism if the UTF-8 version of
> the password doesn't match.  (fwiw, my understanding is that facebook
> checks common accidental variations on the entered password during their
> (non-basic-auth) login process.  so if my password is b4nanAs, but i
> type B4NANaS or b5nanAs, facebook might let me in anyway)
>
> Is this advisable?  What are the risks of testing two variants of the
> password against the password table?  I haven't thought this through
> fully, but it seems like it would be a relevant consideration.
>
> In the absence of a signal from the client about their choice of
> encoding, documenting these heuristics and recommending them seems like
> a useful way to facilitate adoption and uniformity among servers
> implementing this spec.
> ...

I looked at this some more, and it seems that the general question 
applies to the third paragraph in B.2 
(<http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-update-06.html#rfc.section.B.2.p.3>):

    Finally, origin servers that need to support non-US-ASCII characters
    and can use the UTF-8 character encoding scheme can opt in as
    described above.  In the worst case, they'll continue to see either
    broken credentials or no credentials at all (depending on how legacy
    clients handle characters they cannot encode).

I propose to expand the problem description, and to mention that servers 
that need to support a mix of clients can attempt a "try both" strategy:

    Finally, origin servers that need to support non-US-ASCII characters
    and can use the UTF-8 character encoding scheme can opt in by
    specifying the charset parameter in the authentication challenge.
    Clients that do understand the charset parameter will then start to
    use UTF-8, while other clients will continue to send credentials in
    their default encoding, broken credentials, or no credentials at all.
    Until all clients are upgraded to support UTF-8, servers are likely
    to see both UTF-8 and "legacy" encodings in requests.  When
    processing as UTF-8 fails (due to a failure to decode as UTF-8 or a
    mismatch of user-id/password), a server might try a fallback to the
    previously supported legacy encoding in order to accomodate these
    legacy clients.  Note that implicit retries need to be done
    carefully; for instance, some subsystems might detect repeated login
    failures and treat them as potential credentials guessing attack.

(<http://trac.tools.ietf.org/wg/httpauth/trac/changeset/129>).

WDYT?

Best regards, Julian

PS: slightly related: this section talks about origin servers instead of 
servers (-> proxy authentication); I'll fix that as well.