[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: RE: Encoding charset of HTTP Basic Authentication
I know this is an old thread (and this is not really the right list for a detailed discussion on this topic), but I did some musings on what would be involved to doing digest style authentication of password data in HTML form data. I've written a quick blog post up on it and to me it seems quite doable. Have a read at: http://codalogic.com/blogs/pete/?p=376 Thanks for your indulgence! Pete Cordell Codalogic Ltd Interface XML to C++ the easy way using C++ XML data binding to convert XSD schemas to C++ classes. Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com for more info ----- Original Message ----- From: "Pete Cordell" <petexmldev@codalogic.com> To: "Greg Hunt" <greg@firmansyah.com> Cc: "xml-dev" <xml-dev@lists.xml.org> Sent: Monday, January 30, 2012 1:52 PM Subject: Re: RE: Encoding charset of HTTP Basic Authentication > I'm surprised I'm in a minority of one on this. I've snipped out lots of > comments in a reply, but my basic position is that we shouldn't be > adopting a "buyer beware" position when it comes to handling passwords > when we know there are better ways to do it, and we have known that for > the best part of a decade. > > The upside of this is that I will be delving into my server configs and > changing them to use Digest if I can. So I'm pleased that the topic has > been raised from that point of view. > > A quick question before I do though, does Digest require the server to > have access to the password in clear text form, whereas Basic allows the > server to store the password in some hashed form? > > Thanks, > > Pete Cordell > Codalogic Ltd > Interface XML to C++ the easy way using C++ XML > data binding to convert XSD schemas to C++ classes. > Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com > for more info > ----- Original Message ----- > From: "Greg Hunt" <greg@firmansyah.com> > To: "Pete Cordell" <petexmldev@codalogic.com> > Cc: "xml-dev" <xml-dev@lists.xml.org> > Sent: Monday, January 30, 2012 11:29 AM > Subject: Re: RE: Encoding charset of HTTP Basic Authentication > > >> Surely most of us here get paid to know how things work and what their >> strengths and weaknesses are. The level of knowledge is sadly lower than >> it should be, but to paraphrase you, thats no excuse. I don't think that >> digest was part of HTTP 1.0 and retiring standards is difficult. >> >> This, and the original issue, about character sets, is just evidence that >> things change; the industry's accepted level of knowledge and ideas of >> good >> practice evolves and its up to us to understand the history. The >> difficulty in using anything other than 8859-1 in post data (not exactly >> a >> lot of difficulty, but enough to cause a recurring class of unicode >> handling bug that people ring me up about) is probably another wrinkle >> related to what caused the lack of specification of the character set >> hidden in the base64 encoding. The past had a different set of problems >> to >> the present. There was a page linked to earlier in this thread that >> asserted that the SSL threat model is entirely wrong, Perhaps today that >> is >> true, but if you go back to the mid 90s there were large scale intrusions >> into network core routers, the network WAS relatively insecure and the >> security problem was not mostly trojans and key loggers on Windows >> desktops. We have to live with the past, more and more of it in IT as >> time >> goes by. >> >> On Mon, Jan 30, 2012 at 8:46 PM, Pete Cordell >> <petexmldev@codalogic.com>wrote: >> >>> Original Message From: "Michael Sokolov" >>> >>> (I've flipped the order of Michael's reply to make the more important >>> comment first.) >>> >>> >>> But yes, it's not good for public-facing auth, etc, and probably people >>>> (like you!) who don't know what it is have used it as if it were >>>> secure, >>>> so for that reason I agree with you, it's not the sort of standard that >>>> should be promulgated. >>>> >>> >>> I think that's the rub. We all know that passwords should be kept >>> secret, >>> and for a mechanism whose primary purpose is to exchange passwords it >>> surely >>> has a duty of care to help maintain that secrecy. Sending passwords >>> over >>> the Internet in the clear seems no more acceptable than storing >>> passwords >>> in >>> a file in plain text. No serious system would do the latter, so I think >>> it's only reasonable that we should object when systems do the former. >>> "We >>> never said it was secure" is not an acceptable defence IMHO. >>> >>> >>> It's actually pretty useful as an insecure *identification* mechanism. >>> EG >>>> if you're operating inside a firewall and just want to give people a >>>> mechanism to say who they are, allowing for the fact someone might >>>> impersonate someone else, etc. Not every authentication mechanism has >>>> to >>>> be secure, just like not every door has to be locked - I mean do you >>>> lock >>>> your bathroom door? Closing it is enough; people knock and identify >>>> themselves. >>>> >>> >>> True, but it doesn't seem so much harder to always use Digest. Surely >>> it's >>> just calling a different function for most people? (Digest may have its >>> weaknesses too, but that's a reason for making a stronger scheme rather >>> than >>> giving up completely.) >>> >>> I feel a bit like a disgruntled customer who's found his product doesn't >>> do >>> what he thought it did based on the shining ads who on ringing into a >>> help >>> line is told that I should have read the small print on page 215 :-) >>> >>> >>> Pete Cordell >>> Codalogic Ltd >>> Interface XML to C++ the easy way using C++ XML >>> data binding to convert XSD schemas to C++ classes. >>> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com >>> for more info >>> ----- Original Message ----- From: "Michael Sokolov" >>> <sokolov@ifactory.com >>> > >>> To: "Pete Cordell" <petexmldev@codalogic.com> >>> Cc: "Petite Abeille" <petite.abeille@gmail.com>; "xml-dev" >>> <xml-dev@lists.xml.org> >>> Sent: Sunday, January 29, 2012 10:31 PM >>> >>> Subject: Re: RE: Encoding charset of HTTP Basic Authentication >>> >>> >>> It's actually pretty useful as an insecure *identification* mechanism. >>> EG >>>> if you're operating inside a firewall and just want to give people a >>>> mechanism to say who they are, allowing for the fact someone might >>>> impersonate someone else, etc. Not every authentication mechanism has >>>> to >>>> be secure, just like not every door has to be locked - I mean do you >>>> lock >>>> your bathroom door? Closing it is enough; people knock and identify >>>> themselves. >>>> >>>> But yes, it's not good for public-facing auth, etc, and probably people >>>> (like you!) who don't know what it is have used it as if it were >>>> secure, >>>> so for that reason I agree with you, it's not the sort of standard that >>>> should be promulgated. >>>> >>>> -Mike >>>> >>>> On 1/29/2012 5:15 PM, Pete Cordell wrote: >>>> >>>>> Holy s*** you're right. Just used wireshark on some HTTP exchanges. >>>>> All >>>>> this talk about online security and they effectively allow Base64 as >>>>> an >>>>> 'encryption' algorithm! People should go to jail for that! Still >>>>> think >>>>> it's a bad, bad, bad idea. SIP has deprecated it and Twitter has >>>>> disabled it. As I said, I'm pretty sure the IETF wouldn't accept >>>>> something similar to it these days. >>>>> >>>>> Pete Cordell >>>>> Codalogic Ltd >>>>> Interface XML to C++ the easy way using C++ XML >>>>> data binding to convert XSD schemas to C++ classes. >>>>> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com >>>>> for more info >>>>> ----- Original Message ----- From: "Pete Cordell" >>>>> <petexmldev@codalogic.com> >>>>> To: "Petite Abeille" <petite.abeille@gmail.com>; "xml-dev" >>>>> <xml-dev@lists.xml.org> >>>>> Sent: Sunday, January 29, 2012 9:35 PM >>>>> Subject: Re: RE: Encoding charset of HTTP Basic >>>>> Authentication >>>>> >>>>> >>>>> Convenient doesn't mean good though. I think it _can_ be used over >>>>> TLS, >>>>>> but since HTTP needs to support other schemes for non-TLS I can't see >>>>>> the point. I don't think it would accepted if it was introduced >>>>>> today. >>>>>> >>>>>> Pete Cordell >>>>>> Codalogic Ltd >>>>>> Interface XML to C++ the easy way using C++ XML >>>>>> data binding to convert XSD schemas to C++ classes. >>>>>> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com >>>>>> for more info >>>>>> ----- Original Message ----- From: "Petite Abeille" >>>>>> <petite.abeille@gmail.com> >>>>>> To: "xml-dev" <xml-dev@lists.xml.org> >>>>>> Sent: Sunday, January 29, 2012 8:33 PM >>>>>> Subject: Re: RE: Encoding charset of HTTP Basic >>>>>> Authentication >>>>>> >>>>>> >>>>>> >>>>>> On Jan 29, 2012, at 9:17 PM, Pete Cordell wrote: >>>>>> >>>>>> My understanding is that Basic is essentially considered insecure >>>>>>> >>>>>> >>>>>> Basic is convenient, universally supported, and meant to be used >>>>>> over >>>>>> TLS if you care about this kind of things. >>>>>> >>>>>> ______________________________**______________________________** >>>>>> ___________ >>>>>> >>>>>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>>>>> to support XML implementation and development. To minimize >>>>>> spam in the archives, you must subscribe before posting. >>>>>> >>>>>> [Un]Subscribe/change address: >>>>>> http://www.oasis-open.org/**mlmanage/<http://www.oasis-open.org/mlmanage/> >>>>>> Or unsubscribe: >>>>>> xml-dev-unsubscribe@lists.xml.**org<xml-dev-unsubscribe@lists.xml.org> >>>>>> subscribe: >>>>>> xml-dev-subscribe@lists.xml.**org<xml-dev-subscribe@lists.xml.org> >>>>>> List archive: >>>>>> http://lists.xml.org/archives/**xml-dev/<http://lists.xml.org/archives/xml-dev/> >>>>>> List Guidelines: >>>>>> http://www.oasis-open.org/**maillists/guidelines.php<http://www.oasis-open.org/maillists/guidelines.php> >>>>>> >>>>>> >>>>>> ______________________________**______________________________** >>>>>> ___________ >>>>>> >>>>>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>>>>> to support XML implementation and development. To minimize >>>>>> spam in the archives, you must subscribe before posting. >>>>>> >>>>>> [Un]Subscribe/change address: >>>>>> http://www.oasis-open.org/**mlmanage/<http://www.oasis-open.org/mlmanage/> >>>>>> Or unsubscribe: >>>>>> xml-dev-unsubscribe@lists.xml.**org<xml-dev-unsubscribe@lists.xml.org> >>>>>> subscribe: >>>>>> xml-dev-subscribe@lists.xml.**org<xml-dev-subscribe@lists.xml.org> >>>>>> List archive: >>>>>> http://lists.xml.org/archives/**xml-dev/<http://lists.xml.org/archives/xml-dev/> >>>>>> List Guidelines: >>>>>> http://www.oasis-open.org/**maillists/guidelines.php<http://www.oasis-open.org/maillists/guidelines.php> >>>>>> >>>>>> >>>>> >>>>> ______________________________**______________________________** >>>>> ___________ >>>>> >>>>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>>>> to support XML implementation and development. To minimize >>>>> spam in the archives, you must subscribe before posting. >>>>> >>>>> [Un]Subscribe/change address: >>>>> http://www.oasis-open.org/**mlmanage/<http://www.oasis-open.org/mlmanage/> >>>>> Or unsubscribe: >>>>> xml-dev-unsubscribe@lists.xml.**org<xml-dev-unsubscribe@lists.xml.org> >>>>> subscribe: >>>>> xml-dev-subscribe@lists.xml.**org<xml-dev-subscribe@lists.xml.org> >>>>> List archive: >>>>> http://lists.xml.org/archives/**xml-dev/<http://lists.xml.org/archives/xml-dev/> >>>>> List Guidelines: >>>>> http://www.oasis-open.org/**maillists/guidelines.php<http://www.oasis-open.org/maillists/guidelines.php> >>>>> >>>>> >>>> >>>> ______________________________**______________________________** >>>> ___________ >>>> >>>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>>> to support XML implementation and development. To minimize >>>> spam in the archives, you must subscribe before posting. >>>> >>>> [Un]Subscribe/change address: >>>> http://www.oasis-open.org/**mlmanage/<http://www.oasis-open.org/mlmanage/> >>>> Or unsubscribe: >>>> xml-dev-unsubscribe@lists.xml.**org<xml-dev-unsubscribe@lists.xml.org> >>>> subscribe: >>>> xml-dev-subscribe@lists.xml.**org<xml-dev-subscribe@lists.xml.org> >>>> List archive: >>>> http://lists.xml.org/archives/**xml-dev/<http://lists.xml.org/archives/xml-dev/> >>>> List Guidelines: >>>> http://www.oasis-open.org/**maillists/guidelines.php<http://www.oasis-open.org/maillists/guidelines.php> >>>> >>>> >>> >>> ______________________________**______________________________** >>> ___________ >>> >>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>> to support XML implementation and development. To minimize >>> spam in the archives, you must subscribe before posting. >>> >>> [Un]Subscribe/change address: >>> http://www.oasis-open.org/**mlmanage/<http://www.oasis-open.org/mlmanage/> >>> Or unsubscribe: >>> xml-dev-unsubscribe@lists.xml.**org<xml-dev-unsubscribe@lists.xml.org> >>> subscribe: >>> xml-dev-subscribe@lists.xml.**org<xml-dev-subscribe@lists.xml.org> >>> List archive: >>> http://lists.xml.org/archives/**xml-dev/<http://lists.xml.org/archives/xml-dev/> >>> List Guidelines: >>> http://www.oasis-open.org/**maillists/guidelines.php<http://www.oasis-open.org/maillists/guidelines.php> >>> >>> >> > > > _______________________________________________________________________ > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > to support XML implementation and development. To minimize > spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@lists.xml.org > subscribe: xml-dev-subscribe@lists.xml.org > List archive: http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|