[Previous] [Next] [Index]
[Thread]
Re: Secure WWW Access to Server Groups
A security consideration for this proposal:
Let's say I want to get a user's basic auth password for a particular
group. I manage to sucker the user into visiting my web server after
he has authenticated himself to some other server in that group. If my
server returns a 401 claiming to be in the target group, will not the
browser hand over the uuencoded username:password to me?
Of course this attack will fail for Digest Auth or Mediated Digest Auth,
but Basic Auth is still the most common form.
Assuming I haven't misunderstood things.... perhaps this could be
fixed by requiring some relation between the group name and any server
claiming to be in this group.
Also, a couple questions:
Were kerberos-based solutions considered for this purpose? Just curious.
Is there any support for Mediated Digest Authentication in available
browsers and servers? I know of none.
Adam
> We recently submitted an internet draft that proposes an extension to
> HTTP to enable authentication to a group of WWW servers. Using this
> extension the user just has to type his user name and password once to
> be able to access all ressources in a particular group of co-operating
> servers. The draft is available as <draft-trommler-http-ext-groups-00.txt>
> from the "usual" sites.
>
> A prototypical implementation for AIX based on Mosaic and Httpd from NCSA
> can be obtained via anonymous ftp from ftp.zurich.ibm.com in directory
> /pub/trp/server-groups.
>
> Regards,
> Peter
>
> --
> -----------------------------------------------------------
> Peter Trommler | email: trp@zurich.ibm.com|
> IBM Zurich Research Laboratory | home: c/o Fam. Gatti |
> Saumerstrasse 4 | Hornhaldenstrasse 1 |
> CH-8803 Rueschlikon/Svizzera | CH-8802 Kilchberg |
> Phone: +41-1-724 83 73 | +41-1-715 18 74 |
> -----------------------------------------------------------
> ..., abr *mach* daas mal, waenn dah Lueuet dinne sind...
>
Follow-Ups:
References: