[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
At 3:32 PM +0000 1/8/04, Alaric B Snell wrote: >Elliotte Rusty Harold wrote: >> At 12:08 PM +0000 1/8/04, Alaric B Snell wrote: >> >>> Yes, Digest auth is pretty good - it'd be great if it was >>>implemented widely enough to actually be safely usable, though :-( >>> >> Please elaborate. Is it a browser issue? a server issue? Is it >>implemented but just not turned on. Name names. Who deserves praise >>and who deserves calumny? Inquiring minds want to know. > >Let me see... > >http://static.userland.com/userLandDiscussArchive/msg012483.html That's from 1999. What it says boils down to Netscape 4.x doesn't support this. I'd still like to support Netscape 4.x, so that's an issue. Still, if anyone has more current information on browser support, that would be useful. >http://www.unixpapa.com/auth/basic.html#sec2.2 > \-> ('2.2.3. Why Digest Authentication Isn't Used') This one is a very well-written discussion of how all this works. Very useful. Thanks. The key piece of information is this: Now versions of it have appeared Internet Explorer 5.0, Mozilla 0.9.7, Opera 6. Microsoft's IIS 5.0 server also supports it. Netscape's 4.0 browers do not support it. The bad news is, Microsoft implemented it differently than everyone else, so IIS only works with IE, and IE only works with IIS. All other browsers are compatible with Apache, but not IIS. Why are we not surprised? However, this piece was originally written in 1997 and updated in 2003 though it's not clear what changed. The browsers mentioined here are all a few years old at least. It would be nice to know what the current status is. I know people are still using Netscape 4.x and IE 5. I'd be surprised to see Mozilla 0.97 though. And it's possible the bugs in IIS have since been fixed. Does anyone know? >I came across a page that reminded me of another downside to HTTP >auth - there's no way for the server to cancel the session if it >believes the session might be compromised (eg, the same user appears >to be logging in from two entirely unrelated machines, or trying to >brute-force guess something or whatnot) without entirely shutting >down the user account, I'm not sure how this really distinguishes the two options in favor of cookies. If implemented, this would help defend against a replay attack, but it digest authentication isn't subject to that, unlike cookies. If somebody's trying to brute force guess passwords by logging in repeatedly, that's pretty much the same issue with either cookies or digest authentication. If the same user is logged in from two entirely unrelated machines (not impossible of course, but might indicate an attack) using passwords, or in some other way you suspect the password has been cracked, then you want to shut off the account and reverify via e-mail regardless. I don't see a big difference between the two types of authentication here. > and browsers don't seem to provide an accessible interface to "log >out" by making the browser forget the username/password combo it has >stored for the realm there and then at the click of a button. It is doable, at least in Mozilla, but you're right. It should be easier. >However, there are still more fundamental issues with authentication >mechanisms a little more heavyweight than just a username and >password. Eg, there are public key crypto devices such as the Java >iButtons that can do a public key signing in a few seconds; this is >perfect if you just use that to securely choose a session key while >authenticating yourself to the server and can continue to use that >session key, but it would be bad to force a two second delay on >every HTTP request (especially for image-heavy pages :-) A lot of pages that use SSL deliberately serve images from a different server (or the same server) using plain vanilla http over unencrypted TCP for precisely this reason. As long as the images themselves aren't secret, there's no need to incur the cost for the images. -- Elliotte Rusty Harold elharo@m... Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|