headers
Ben Laurie | 6 Jan 2011 16:31
Picon
Favicon

Re: [websec] [kitten] HTTP authentication: the next generation



On 6 January 2011 01:28, Robert Sayre <sayrer <at> gmail.com> wrote:
> Peter Saint-Andre <stpeter <at> stpeter.im> wrote:
> 2. In 2007, Robert Sayre put together a few slides on the topic:
> http://people.mozilla.com/~sayrer/2007/auth.html

These are back on the Web, in case anyone missed them (probably not).

On Sun, Dec 12, 2010 at 5:39 PM, Roy T. Fielding <fielding <at> gbiv.com> wrote:
>
> Define them all and let's have a bake-off.  It has been 16 years since
> HTTP auth was taken out of our hands so that the security experts could
> define something perfect.  Zero progress so far.

I think the IETF might do better to focus on a smaller problem, at
first. People often use self-signed certificates with HTTP/TLS, even
though the first thing their websites ask the user to do is type a
username and password into a form. There are some well-understood ways
to make this process more secure. Why hasn't the IETF fixed this
problem? If this smaller problem has no ready solution, then the
larger issue of authentication on the entire Web seems like a tough
nut to crack.

Two comments (one really being a response to Roy):

1. The IETF has fixed the problem, but no-one is using the fix - perhaps because it is not clear that it is the fix. I speak of RFC 4279, TLS pre-shared keys. These could be derived from a hash of the password and the site name, for example, and thus provide secure mutual authentication despite password reuse.

2. I have often heard (though I am not aware of hard evidence for this, nevertheless I find it plausible) that one reason no-one has bothered to improve HTTP auth is because no-one would use it since site owners want to control the user experience around signin. It seems to me, therefore, that HTTP is the wrong layer to fix the problem at - it needs to be pushed down into HTML or Javascript so that the page can control the look, while appropriate HTML elements or JS code can deal with the secure exchange of data.

Of course, this still leaves the issue of trusted path: although we can provide elements which are safe to use, even when being phished, how does the user know those elements are actually being used, rather than simulated so as to get hold of the underlying password?

The answer to this problem is hard, since it brings us back to taking the UI out of the sites hands.

 
It could be that the reasons for this lack of progress are
nontechnical. Just throwing that out there.

If you think UI is nontechnical, then I agree.

Cheers,

Ben.

<div>
<br><br><div class="gmail_quote">On 6 January 2011 01:28, Robert Sayre <span dir="ltr">&lt;<a href="mailto:sayrer <at> gmail.com">sayrer <at> gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
<div class="im">&gt; Peter Saint-Andre &lt;<a href="mailto:stpeter <at> stpeter.im">stpeter <at> stpeter.im</a>&gt; wrote:<br>
&gt; 2. In 2007, Robert Sayre put together a few slides on the topic:<br>
&gt; <a href="http://people.mozilla.com/~sayrer/2007/auth.html" target="_blank">http://people.mozilla.com/~sayrer/2007/auth.html</a><br><br>
</div>These are back on the Web, in case anyone missed them (probably not).<br><div class="im">
<br>
On Sun, Dec 12, 2010 at 5:39 PM, Roy T. Fielding &lt;<a href="mailto:fielding <at> gbiv.com">fielding <at> gbiv.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Define them all and let's have a bake-off. &nbsp;It has been 16 years since<br>
&gt; HTTP auth was taken out of our hands so that the security experts could<br>
&gt; define something perfect. &nbsp;Zero progress so far.<br><br>
</div>
I think the IETF might do better to focus on a smaller problem, at<br>
first. People often use self-signed certificates with HTTP/TLS, even<br>
though the first thing their websites ask the user to do is type a<br>
username and password into a form. There are some well-understood ways<br>
to make this process more secure. Why hasn't the IETF fixed this<br>
problem? If this smaller problem has no ready solution, then the<br>
larger issue of authentication on the entire Web seems like a tough<br>
nut to crack.<br>
</blockquote>
<div><br></div>
<div>Two comments (one really being a response to Roy):</div>
<div><br></div>
<div>1. The IETF has fixed the problem, but no-one is using the fix - perhaps because it is not clear that it is the fix. I speak of RFC 4279, TLS pre-shared keys. These could be derived from a hash of the password and the site name, for example, and thus provide secure mutual authentication despite password reuse.</div>
<div><br></div>
<div>2. I have often heard (though I am not aware of hard evidence for this, nevertheless I find it plausible) that one reason no-one has bothered to improve HTTP auth is because no-one would use it since site owners want to control the user experience around signin. It seems to me, therefore, that HTTP is the wrong layer to fix the problem at - it needs to be pushed down into HTML or Javascript so that the page can control the look, while appropriate HTML elements or JS code can deal with the secure exchange of data.</div>
<div><br></div>
<div>Of course, this still leaves the issue of trusted path: although we can provide elements which are safe to use, even when being phished, how does the user know those elements are actually being used, rather than simulated so as to get hold of the underlying password?</div>
<div><br></div>
<div>The answer to this problem is hard, since it brings us back to taking the UI out of the sites hands.</div>
<div><br></div>
<div>&nbsp;</div>
<blockquote class="gmail_quote">

It could be that the reasons for this lack of progress are<br>
nontechnical. Just throwing that out there.<br>
</blockquote>
<div><br></div>
<div>If you think UI is nontechnical, then I agree.</div>
<div><br></div>
<div>Cheers,</div>
<div><br></div>
<div>Ben.</div>
<div><br></div>
</div>
</div>
Permalink | Reply | 43 comments |
headers
Sean Turner | 6 Jan 2011 19:34

Fwd: time to act on IETF-80 BOFs

FYI

-------- Original Message --------
Subject: time to act on IETF-80 BOFs
Date: Wed, 05 Jan 2011 22:29:34 +0100
From: Jari Arkko <jari.arkko <at> piuha.net>
To: IETF Discussion <ietf <at> ietf.org>, Working Group Chairs 
<wgchairs <at> ietf.org>

Just as a reminder, if any of you are thinking of proposing new IETF
work: the deadline for BOF proposals for the next meeting is January
31st. But if you have something in mind, please talk to your ADs as soon
as possible. More information at
http://www.ietf.org/meeting/cutoff-dates-2011.html#IETF80

Jari
Permalink | Reply | 0 comments |
headers
der Mouse | 6 Jan 2011 19:35

Re: [websec] [apps-discuss] [kitten] HTTP authentication: the next generation

> Look back far enough and you'll find all kinds of "electronic mail"
> services implementing the full range of peer and end user
> authentication, and sender-pays models.  There was no spam on those
> systems, or at least not enough that anyone felt like they needed a
> word for it.

There was basically no spam on open-Internet SMTP mail either, at the
time.  Certainly "no spam" by today's standards.

> Guess why we use the one we use today.

At the time, the services you deride weren't providing a significant
value-add.

Today?  They would be.  Perhaps not enough to make up for their costs;
probably not, in fact, or there'd be businesses arising in that space.

As a side note, it's interesting to see how well the early Internet
designers built; their systems are routinely being stressed several
orders of magnitude beyond what they were designed for, and are holding
up remarkably well.  The postal system did collapse when it started
suffering from spam; that's why the paper chain mail is actually
illegal in many jurisdictions - it took down the postal system, once
upon a time.  The telphone system would collapse if phone spam
outnumbered real calls by 10, 25, 100 to 1.  (Actually, in a sense they
already do.  I have a fax line set up, and get dozens of fax spams for
every real fax.  I've had to start adapting and applying my email spam
fighting techniques there....)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse <at> rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Permalink | Reply | 2 comments |
headers
Novikov, Lev | 11 Jan 2011 00:58
Picon
Favicon

-02 draft of CICM posted

The -02 draft of the Common Interface to Cryptographic Modules (CICM) has been posted.
Comments are solicited to <cicm <at> ietf.org>.

Some new issues have been discovered as a result of this recent work and will be raised on the mailing list soon.

This revision restructures CICM into five documents as discussed back in July:

1. [CICM-LM] An informative background document that provides an introduction to the space, 
   the terminology, and logical model. <http://tools.ietf.org/html/draft-lanz-cicm-lm>

2. [CICM] A normative base document that defines the basic types and the Conformance & Extension model.
   <http://tools.ietf.org/html/draft-lanz-cicm>

3. [CICM-MM] A normative document that defines Module Management capabilities.
   <http://tools.ietf.org/html/draft-lanz-cicm-mm>

4. [CICM-KM] A normative document that defines Key Management capabilities.
   <http://tools.ietf.org/html/draft-lanz-cicm-km>

5. [CICM-CM] A normative document that defines Channel Management capabilities.
   <http://tools.ietf.org/html/draft-lanz-cicm-cm>

As discussed previously, the document labeled [CICM] is the normative document upon which all other
documents (except CICM-LM) are based.

Other Changes:
 - figures added to illustrate basic concepts
 - sample ICS added

Pending Changes:
 - adding ABNF syntax for generating identifiers (in progress)

Lev
Permalink | Reply | 0 comments |
headers
Blaine Cook | 9 Jan 2011 02:29
Picon
Gravatar

Re: [apps-discuss] [websec] [kitten] HTTP authentication: the next generation

On 8 January 2011 11:49, Zed A. Shaw <zedshaw <at> zedshaw.com> wrote:
> On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
> I don't normally respond, just being a lurker, but this statement is
> competely wrong Blaine.  OAuth may be used for more requests, but not
> more sites.  It's used on a tiny number of sites, with OpenID being used
> on way many more, and even then, not nowhere near the number of websites
> that form based authentication and browser authentication methods.
>
> Don't equate twitter having a ton of traffic to OAuth being some kind of
> raving success, and sure as hell don't evaluate the technical merits of
> something by its popularity.

Agreed - though, facebook is also using oauth-based (not 1.0, but
essentially the same approach) logins, and there are a number of other
sites that do provide oauth-based login infrastructure.

Moreover, the nudge towards oauth is intended with the movement
towards a new auth infrastructure in mind. We'd need some kind of
discovery / negotiation mechanism on top to make it not the
one-or-two-companies-own-the-web play that login-over-oauth is now.
(c.f. OpenID Connect).

b.

> While I agree that TLS client side isn't going to work, none of the
> proposed authentication methods will work without a change to browsers
> to support a way for two websites to establish a session in the browser.
> If that feature existed you would cut down on a lot of the complexity of
> things like OpenID and OAuth.

Again, agreed. ;-)

for the record, I don't think that OAuth itself is a suitable
replacement for HTTP authorisation, but wanted to stir the pot,
especially away from overwrought technical solutions that don't
actually solve anyone's needs.

b.
_______________________________________________
saag mailing list
saag <at> ietf.org
https://www.ietf.org/mailman/listinfo/saag
Permalink | Reply | 0 comments |
headers
Ben Laurie | 9 Jan 2011 20:21
Picon
Favicon

Re: [apps-discuss] [websec] [kitten] HTTP authentication: the next generation

On 9 January 2011 18:32, Zed A. Shaw <zedshaw <at> zedshaw.com> wrote:
> On Sun, Jan 09, 2011 at 01:44:12PM +0000, Ben Laurie wrote:
>> > for the record, I don't think that OAuth itself is a suitable
>> > replacement for HTTP authorisation, but wanted to stir the pot,
>> > especially away from overwrought technical solutions that don't
>> > actually solve anyone's needs.
>>
>> Towards ones that are ripe for phishing and have no privacy
>> protections? I don't believe that's a good direction.
>
> Ripe for phishing?  I must have missed a whole conversation in all this
> cross posting, because last I checked none of the proposed solutions
> prevent phishing.
>
> If you can phish one site you can phish another.  It's not the sites or
> the protocol that causes phishing, or whether you've got a billion
> redirects or diffie-helman to the hilt.  OpenID or Oauth or
> plain-old-form-auth don't prevent or cause phishing.
>
> What causes phishing is users have no idea that two websites are
> different.

Whilst I do not disagree with this claim, you are wrong. There are
protocols which effectively prevent phishing - so long as password
entry is done in an unspoofable UI.

I am sure that you will respond that UI can be spoofed as easily as a
website can be, and I'm almost ready to agree with that, given that we
still don't have a good answer to that, however, my one small ray of
hope in this regard is that there's only one UI we need to make
unspoofable as opposed to a million websites. And, what's more, we
don't really need to invoke it every time a user logs in to a website
- really what we want is for the user to authenticate to their device
and have the device handle the rest.

OpenID and OAuth are particularly nasty, even by today's standards,
because they provide a trivial route for the phisher to do a perfect
MitM attack on the IdP.
Permalink | Reply | 0 comments |
headers
Marsh Ray | 9 Jan 2011 22:07
Favicon

Re: [websec] [apps-discuss] [kitten] HTTP authentication: the next generation

On 01/09/2011 02:16 PM, Zed A. Shaw wrote:
> On Sun, Jan 09, 2011 at 07:21:34PM +0000, Ben Laurie wrote:
>> Whilst I do not disagree with this claim, you are wrong. There are
>> protocols which effectively prevent phishing - so long as password
>> entry is done in an unspoofable UI.
>
> Alright, to avoid any "violent agreement", can you point me at any
> documentation you have on your proposed solution?

As you pointed out Zed, phishing isn't something that happens to a
protocol or an application - it's something the user decides to do.

Phishing can be said to have been prevented only when the user can be
relied upon to refuse to enter his password into an insecure box.

Now there may be some useful mitigations at the app or protocol level. 
For example, my bank asks for my username and then shows me a familiar 
picture (e.g., a rocking horse) that is supposed to prevent phishing. 
This stops phishing only in the sense that it requires the attacker to 
use a CGI proxy app rather than simple static phishing site.

For some sites that probably cuts down on the rate of phishing attacks 
quite a bit. But something so easy to bypass is likely to depend on a 
steady supply of easier targets keeping the attackers busy. If I wanted 
that kind of security for my car, I should try to convince everyone else 
in town to leave theirs unlocked with the keys in the ignition. I don't 
think it will be useful against a determined, targeted attack.

On 01/09/2011 02:13 PM, Peter Saint-Andre wrote:
>
> And please start cc'ing only http-auth <at> ietf.org, not all the other
> lists.

You're trying to convince users not to do something that the interface 
begs them to do, like hit 'reply all', or trying out every password they 
know. It's not part of the protocol.

- Marsh
Permalink | Reply | 0 comments |
headers
=JeffH | 22 Jan 2011 02:12

fyi: [certid] IESG approval of draft-saintandre-tls-server-id-check-14

Subject: [certid] IESG approval of draft-saintandre-tls-server-id-check-14
From: Peter Saint-Andre <stpeter <at> stpeter.im>
Date: Thu, 20 Jan 2011 19:20:57 -0700 (18:20 PST)
To: IETF cert-based identity <certid <at> ietf.org>

During its telechat earlier today, the IESG approved version -14 of
draft-saintandre-tls-server-id-check as a Proposed Standard (not BCP).

I'll leave it to Alexey Melnikov, our sponsoring area director, to
explain the details about where we go from here (e.g., possible
incorporation of small text modifications resulting from the discussion
thread between Matt McCutchen and Jeff Hodges over the last 3 days).

For myself, I fully expect to be working on a bis draft at some point in
the next few years, because I don't think that this I-D is quite the
final word on the topic. However, I do think it brings us closer to wide
consensus regarding application service identity, and that perhaps the
bis draft could be a true BCP (developed, I would think, within the TLS WG).

Thanks to everyone who contributed to and provided feedback on this
document -- your input is very much appreciated!

Peter

--

-- 
Peter Saint-Andre
https://stpeter.im/
Permalink | Reply | 0 comments |
headers
Sean Turner | 31 Jan 2011 20:28

IETF 80 Security Sessions Requested To Date

All,

IETF 80 is quickly approaching.  I wanted to let everyone know about the 
meeting session requests that have been received to date:
  abfab
  dane
  dkim
  emu
  hokey
  nea
  pkix
  tls

No request received:
  isms
  kitten
  krb

Not intending to meet:
  ipsecme
  ltans

I'll give everybody an update come tomorrow wrt the BOFs.

spt
Permalink | Reply | 0 comments |
headers
Sean Turner | 31 Jan 2011 21:00

Fwd: NomCom 2010-2011: IESG Appointments

In case you're not on the ietf-announce <at> ietf.org or ietf <at> ietf.org lists. 
  Here are the IESG appointments.

Congrats to Stephen.  And, thanks to all those who offered to serve.

spt

-------- Original Message --------
Subject: NomCom 2010-2011: IESG Appointments
Date: Mon, 31 Jan 2011 10:11:22 -0800 (PST)
From: NomCom Chair <nomcom-chair <at> ietf.org>
To: IETF Announcement list <ietf-announce <at> ietf.org>

Hi Folks,

The 2010-2011 IETF Nominating committee is pleased to announce the
selection of the IESG members whose two year terms start in March 2011.

The following have been selected to serve as ADs by the nominating
committee for the open IESG positions and confirmed by the IAB in their
role as confirming body:

GEN/IETF Chair: Russ Housley
Applications: Pete Resnick
Internet: Ralph Droms
Operations and Management: Ron Bonica
Real-time Applications and Infrastructure: Robert Sparks
Routing: Adrian Farrel
Security: Stephen Farrell
Transport: Wesley Eddy

Our thanks to the incumbents who are not returning for their outstanding
service, to the many qualified members of the community who offered to
serve, to the community for their assistance in this process, and to the
named individuals above for agreeing to serve the community on the IESG.

Best Regards,

Thomas Walsh
nomcom-chair <at> ietf.org
twalsh <at> juniper.net

_______________________________________________
IETF-Announce mailing list
IETF-Announce <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-announce
Permalink | Reply | 1 comment |

Gmane