[
Lists Home |
Date Index |
Thread Index
]
Elliotte Rusty Harold wrote:
> At 12:08 PM +0000 1/8/04, Alaric B Snell wrote:
>
>
>> Yes, Digest auth is pretty good - it'd be great if it was implemented
>> widely enough to actually be safely usable, though :-(
>>
>
> Please elaborate. Is it a browser issue? a server issue? Is it
> implemented but just not turned on. Name names. Who deserves praise and
> who deserves calumny? Inquiring minds want to know.
Let me see...
http://static.userland.com/userLandDiscussArchive/msg012483.html
http://www.unixpapa.com/auth/basic.html#sec2.2
\-> ('2.2.3. Why Digest Authentication Isn't Used')
...and various other less interesting links got from googling for "HTTP
Digest Supported" (many of them being archives of discussions about
wording for HTTP specs to make Basic deprecated and Digest recommended
in one way or another :-)
I came across a page that reminded me of another downside to HTTP auth -
there's no way for the server to cancel the session if it believes the
session might be compromised (eg, the same user appears to be logging in
from two entirely unrelated machines, or trying to brute-force guess
something or whatnot) without entirely shutting down the user account,
and browsers don't seem to provide an accessible interface to "log out"
by making the browser forget the username/password combo it has stored
for the realm there and then at the click of a button. With my online
bank I can hit "log out" and then feel better about leaving my machine
unattended while I got and get some food; people can't even hit "back"
to get to the pages since they're rather aggressively anti-cached
(perhaps with Javascript tricks as well?), and going back to them just
gets you a redirect to the login form.
I reckon that this stuff could be fixed RESTfully in HTTP, mainly by
making the browsers support Digest auth and better management of the
security context.
Eg, pages fetched under HTTP auth should have a special icon or banner
inthe browser's user interface to show this fact. Clicking on it will
give you a dialog with the realm name and a logout button, which will
securely flush the cached credentials from the browser, AND flush all
pages fetched with that credential from the cache, ideally.
However, there are still more fundamental issues with authentication
mechanisms a little more heavyweight than just a username and password.
Eg, there are public key crypto devices such as the Java iButtons that
can do a public key signing in a few seconds; this is perfect if you
just use that to securely choose a session key while authenticating
yourself to the server and can continue to use that session key, but it
would be bad to force a two second delay on every HTTP request
(especially for image-heavy pages :-)
ABS
|
