Re: Insecure WWW Access Authorization Protocol?

Rob McCool (robm@ncsa.uiuc.edu)
Wed, 16 Mar 1994 02:18:01 --100


/*
* Insecure WWW Access Authorization Protocol? by michael shiplett
* written on Mar 6, 5:16pm.
*
* I had a colleague look over a proposed Kerberos-based HTTP
* authentication protocol I had closely based on the PEM/PGP & RIPEM
* exchanges.

* He pointed out that a man-in-the-middle attack could allow
* an evil entity to masquerade as the server since the exchange goes
* from cleartext to encrypted.
*
* Unless Alice knows how to authenticate to Bob prior to initiating
* the transaction, Mallot will be able to subvert Alice's request. The
* basic flaw is Alice relies on the "401 Unauthorized" response for
* authentication information, e.g., public key, Kerberos principal, etc.

* I think this attack would work against any authentication
* protocol following the WWW Access Authorization protocol examples.
*/

Yes, which is why we are changing Mosaic's behavior for PGP/PEM and, in the
future, Kerberos, to not send the request unencrypted first, but to get the
authentication information from the user and allow the user to force Mosaic
to send the request encrypted the first time.

There are more problems for privacy using 401 than the one you're focusing
on. Namely, if a form has a credit card number in it that you don't want
going out in plaintext, it will go out in plaintext anyway the first time
the browser sends the request.

--Rob

obvious problems for privacy in this model