-- requiring the user to provide a user name and password as a means
of identification, for example, for purposes of gathering accurate
usage statistics on a server. When used in this way it is tempting to
think that there is no danger in its use if illicit access to the
protected documents is not a major concern. This is only correct if
the server issues both user name and password to the users and in
particular does not allow the user to choose his or her own password.
The danger arises because naive users frequently reuse a single
password to avoid the task of maintaining multiple passwords.
If a server permits users to select their own passwords, then the
threat is not only illicit access to documents on the server but also
illicit access to the accounts of all users who have chosen to use
their account password. If users are allowed to choose their own
password that also means the server must maintain files containing
the (presumably encrypted) passwords. Many of these may be the
account passwords of users perhaps at distant sites. The owner or
administrator of such a system could conceivably incur liability if
this information is not maintained in a secure fashion.
Basic Authentication is also vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that he is connecting to a
host containing information protected by basic authentication when in
fact he is connecting to a hostile server or gateway then the
attacker can request a password, store it for later use, and feign an
error. This type of attack is not possible with Digest Authentication
[32]. Server implementers SHOULD guard against the possibility of
this sort of counterfeiting by gateways or CGI scripts. In particular
it is very dangerous for a server to simply turn over a connection to
a gateway since that gateway can then use the persistent connection
mechanism to engage in multiple transactions with the client while
impersonating the original server in a way that is not detectable by
the client.
15.2 Offering a Choice of Authentication Schemes
An HTTP/1.1 server may return multiple challenges with a 401
(Authenticate) response, and each challenge may use a different
RFC 2068 HTTP/1.1 January 1997
scheme. The order of the challenges returned to the user agent is in
the order that the server would prefer they be chosen. The server
should order its challenges with the "most secure" authentication
scheme first. A user agent should choose as the challenge to be made
to the user the first one that the user agent understands.
When the server offers choices of authentication schemes using the
WWW-Authenticate header, the "security" of the authentication is only
as malicious user could capture the set of challenges and try to
authenticate him/herself using the weakest of the authentication
schemes. Thus, the ordering serves more to protect the user's
credentials than the server's information.
A possible man-in-the-middle (MITM) attack would be to add a weak
authentication scheme to the set of choices, hoping that the client
will use one that exposes the user's credentials (e.g. password). For
this reason, the client should always use the strongest scheme that
it understands from the choices accepted.
An even better MITM attack would be to remove all offered choices,
and to insert a challenge that requests Basic authentication. For
this reason, user agents that are concerned about this kind of attack
could remember the strongest authentication scheme ever requested by
a server and produce a warning message that requires user
confirmation before using a weaker one. A particularly insidious way
to mount such a MITM attack would be to offer a "free" proxy caching
service to gullible users.
15.3 Abuse of Server Log Information
A server is in the position to save personal data about a user's
requests which may identify their reading patterns or subjects of
interest. This information is clearly confidential in nature and its
handling may be constrained by law in certain countries. People using
the HTTP protocol to provide data are responsible for ensuring that
such material is not distributed without the permission of any
individuals that are identifiable by the published results.
15.4 Transfer of Sensitive Information
Like any generic data transfer protocol, HTTP cannot regulate the
content of the data that is transferred, nor is there any a priori
method of determining the sensitivity of any particular piece of
information within the context of any given request. Therefore,
applications SHOULD supply as much control over this information as
possible to the provider of that information. Four header fields are
worth special mention in this context: Server, Via, Referer and From.
RFC 2068 HTTP/1.1 January 1997
=79= |
