On 24.08.2011, at 20:40, Oleg Kalnichevski wrote: > On Wed, 2011-08-24 at 16:46 +0000, Fredrik Jonson wrote: >> Oleg Kalnichevski wrote: >> >>> I contend that preemptive authentication is conceptually flawed and poses >>> major security risks in the overwhelming majority of cases. >> >> What is it that is conceptually flawed with using preemtive authentication, >> when you with certainty know the http request that is about to be performed >> always will require authentication? >> > > The overhead of letting the first request in a session to get challenged > by the origin server and caching the authentication state for the rest > of the session is virtually negligible. The whole idea of using > preemptive authentication to order to save one HTTP round-trip is a > complete and utter idiocy.
A common scenario where this is not possible is when the server does not support 100-continue expectation and the the PUT request entity is not repeatable. > >> And what are these major security risks involved in using preemtive >> authentication against known and secured adresses? >> > > If you control both ends probably none, as long as everything stays > constant. But it only takes a small configuration mistake on the client > side or a wrong redirect on the server side to get your credentials sent > to a wrong site in _clear_ text. I have seen that happen too many times. > > Oleg > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
smime.p7s
Description: S/MIME cryptographic signature
