[Previous] [Next] [Index]
[Thread]
Re: Secure WWW Access to Server Groups
On Apr 18, 17:11, Adam Cain wrote:
> Subject: Re: Secure WWW Access to Server Groups
>
> A security consideration for this proposal:
>
> Let's say I want to get a user's basic auth password for a particular
> group. I manage to sucker the user into visiting my web server after
> he has authenticated himself to some other server in that group. If my
> server returns a 401 claiming to be in the target group, will not the
> browser hand over the uuencoded username:password to me?
> Of course this attack will fail for Digest Auth or Mediated Digest Auth,
> but Basic Auth is still the most common form.
Basic authentication is not secure at all and we think it should be replaced
as soon as possible. The "sucker attack" is much easier to mount than
monitoring network traffic but on the other hand, you have to be patient
and wait for the user to access your server. But we will include a section
about
this in a revised version of the draft.
>
> Assuming I haven't misunderstood things.... perhaps this could be
> fixed by requiring some relation between the group name and any server
> claiming to be in this group.
I don't think this is a good idea. This can only be done by sacrificing
flexibility. You could restrict the servers to be in the same domain or
somehow enumerate all members of the group and put this into the group name.
Mutual authentication like in MDA provides more security while retaining
flexibility.
>
> Also, a couple questions:
>
> Were kerberos-based solutions considered for this purpose? Just curious.
Of course, you could use Kerberos but our goal was to extend the existing
authentication schemes for the Web. The use of Kerberos in the Web and then
also for group authentication seems to be beyond the scope of our proposal.
>
> Is there any support for Mediated Digest Authentication in available
> browsers and servers? I know of none.
See our ftp site ftp://ftp.zurich.ibm.com/pub/trp/server-groups
This implementation extends Mosaic and HTTPd to support MDA. Check out
the README file for the limitations of the prototype.
>
>-- End of excerpt from Adam Cain
Peter
--
-----------------------------------------------------------
Peter Trommler | email: trp@zurich.ibm.com|
IBM Zurich Research Laboratory | home: c/o Fam. Gatti |
Saumerstrasse 4 | Hornhaldenstrasse 1 |
CH-8803 Rueschlikon/Svizzera | CH-8802 Kilchberg |
Phone: +41-1-724 83 73 | +41-1-715 18 74 |
-----------------------------------------------------------
..., abr *mach* daas mal, waenn dah Lueuet dinne sind...
References: