[4542] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (Douglas Song)
Thu Feb 20 19:58:23 1997
Date: Thu, 20 Feb 1997 16:55:19 -0500 (EST)
From: Douglas Song <dugsong@umich.edu>
Reply-To: Douglas Song <dugsong@umich.edu>
To: Aaron Abelard <aarona@iquest.net>
cc: www-security@ns2.rutgers.edu, www-security@umich.edu
In-Reply-To: <Pine.SV4.3.91.970220084052.24549E-100000@iquest4>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 20 Feb 1997, Aaron Abelard wrote:
> Here's something very on topic for www-security. According to the HTTP/1.0
> specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the
> username and password used in Basic Authentication is sent as clear
> text. Does this not allow for the possibility of the information being
> snooped? Also, are there any authentication schemes in use other than
> Basic?
There aren't any currently, and Netscape at least ALWAYS interprets the
'WWW-Authenticate' header as having a value of 'Basic' (so you get
prompted for a username and password) even if something else is specified!
This has to change if they want to support the new HTTP 1.1 digest
authentication scheme (RFC 2069), and any future authentication methods
(such as Kerberos, which we're looking at implementing now as an extension
of the digest auth scheme).
Browsers should should just give up and display the HTML following the 401
(Unauthenticated) status if they don't support the auth type specified in
a 'WWW-Authenticate' field. Defaulting to 'Basic' is just a really BAD
idea (check out section 15.2 of the HTTP 1.1 specification for reasons why
- http://andrew2.andrew.cmu.edu/rfc/rfc2068.html)...
---
Dug Song <dugsong@UMICH.EDU>
University of Michigan ITD Systems Research Programmer
http://www-personal.umich.edu/~dugsong
