Upgrading the Plumbing

by | August 2nd, 2007

Infrastructure both online and offline becomes outdated or outmoded, and the core protocol of Web transmission – HTTP – is no exception. For years, Web developers have been both successful and stymied by this simple, stateless protocol. For example, consider the issue of authentication under HTTP. Basic Authentication should be familiar to readers as that which uses the ugly browser dialog box challenge:

logings

The mere fact that the login prompts are ugly gets some people to avoid this approach. Yet even worse, security-wise basic authentication isn’t a terribly great way to protect things because passwords are sent in a simple Base-64 encoded format (basically plain-text).

in the clear

If you aren’t using SSL you are pretty much exposed out in the open. Yikes!

Now you could employ Digest style authentication which would look the same in the prompted sense but would pass a secured hash of the password. Unfortunately this is poorly implemented in browsers and servers, so few people employ it.

Even if you just dealt with HTTP authentication you run into other problems, the first being how do you actually log out with HTTP authentication? The easy answer is you can’t; the more subtle answer is you kind of can depending on browser and technology in play. At best the solution is messy. Now why you should care might not be obvious, but without logout you are subject to potential CSRF attacks against a previously authenticated site you may have visited. Very dangerous stuff!

The rough edges of HTTP authentication encourages most folks to turn to form-cookie based authentication systems. Of course such systems have their problems. While you can customize them to your heart’s content, the usage of cookies has problems in terms of session hijacking as well as user’s being paranoid of the privacy implications of the technology. If we could rid ourselves of cookies for authentication we would close a number of common attacks and refocus user’s privacy fears towards the actual bad use of such technologies.

Ok so the trade-off for Web authentication isn’t great – what does all this have to do with the plumbing of the Web? Well this type of ugliness and other problems might be fixed someday! HTTP is finally going to get an overhaul. The only question is how much? Recently the IETF took up discussing HTTP again and the camps are forming quickly. One camp says we make some small changes and tighten the protocol down (see http://tools.ietf.org/html/draft-lafon-rfc2616bis-03). Another camp is saying let’s fix this horribly old mechanism that does not address the security, commerce and transport challenges of today.

I see the merits of both arguments and think it is likely that both will end up being done – the short term changes being made and the long term acknowledgment that HTTP 1.1 really does need a pretty major upgrade. However, don’t hold your breath, both upgrades could still take a while to come to fruition. This is a pretty massive overhaul and if the adoption of IPv6 is any guide maybe your children will use the new protocols.



About

Thomas Powell is a long-time web industry veteran, as well as the founder and CEO of PINT.

  • dbutler

    Can an MD5 hash also be sniffed out in the same manner? It’s scary seeing those huge decryption databases out there.

    What is your preferred authentication method for quick projects and coursework?