[4554] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Feb 21 10:09:09 1997
To: Aaron Abelard <aarona@iquest.net>
Date: Fri, 21 Feb 1997 11:20:18 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: dugsong@umich.edu, www-security@ns2.rutgers.edu, www-security@umich.edu
In-Reply-To: <Pine.SV4.3.91.970220170124.6142A-100000@iquest4> from "Aaron Abelard" at Feb 20, 97 05:02:20 pm
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Aaron Abelard wrote:
>
> On Thu, 20 Feb 1997, Douglas Song wrote:
>
> > On Thu, 20 Feb 1997, Aaron Abelard wrote:
> >
> > > Here's something very on topic for www-security. According to the HTTP/1.0
> > > specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the
> > > username and password used in Basic Authentication is sent as clear
> > > text. Does this not allow for the possibility of the information being
> > > snooped? Also, are there any authentication schemes in use other than
> > > Basic?
> >
> > There aren't any currently, and Netscape at least ALWAYS interprets the
> > 'WWW-Authenticate' header as having a value of 'Basic' (so you get
> > prompted for a username and password) even if something else is specified!
> > This has to change if they want to support the new HTTP 1.1 digest
> > authentication scheme (RFC 2069), and any future authentication methods
> > (such as Kerberos, which we're looking at implementing now as an extension
> > of the digest auth scheme).
> >
> > Browsers should should just give up and display the HTML following the 401
> > (Unauthenticated) status if they don't support the auth type specified in
> > a 'WWW-Authenticate' field. Defaulting to 'Basic' is just a really BAD
> > idea (check out section 15.2 of the HTTP 1.1 specification for reasons why
> > - http://andrew2.andrew.cmu.edu/rfc/rfc2068.html)...
> >
>
> I agree. Since this is very on-topic for this list, I'd be curious if
> anyone watching this list is also in the development team for Apache and
> knows if Apache will be supporting RFC 2069?
It already does. Strictly as an experimental implementation, in that it has not
been tested against any other implementation (as far as I'm aware), and imposes
no restrictions on the nonce, and therefore is totally vulnerable to a replay
attack.
This support is in version 1.2, BTW.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
