-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mauro Tortonesi wrote: > On Tue, 26 Jun 2007 13:33:35 -0700 Micah Cowan <[EMAIL PROTECTED]> > wrote: > >> - Wget should not be attempting basic authentication before it >> receives a challenge (which could be digest or what have you). This >> is a security issue. > > i am not so sure this is a critical point. as hrvoje pointed out, > basic authentication is definitely the most used authentication > mechanism on the web, so changing the current policy to perform > digest authentication first and use basic authentication as a > failover might result in a perfomance penalty.
It will absolutely result in a (small: one per host?) performance penalty. The same penalty that virtually every web browser is already resigned to. However, performance at the cost of security is not a trade-off I am willing to make. Regardless of whether digest is widely used or not, any security-minded user who happens to discover the way we do things will be very upset with us, and justifiably so. This situation is really inexcusable. If the performance is really a concern, though, I wouldn't be opposed to adding a switch to specify that the server should send authentication information without waiting to be prompted; the user could also use this switch to specify which method should be used. However, I would not allow this switch to be used when spanning hosts. > in addition, both > basic and digest authentication are meant to be used in https only. > in fact, while digest authentication does not send the password in > clear text over the wire, it certainly does not protect from MiM > attacks. "meant to be used"... I don't think that's accurate (I don't see anything in the relevant RFC to that effect). For maximum security, they only _should_ be used in https, and yet frequently are not. And MiM is at least more difficult to set up than simple sniffing; digest at least offers protection against that, if not MiM. We should provide the maximum protection afforded us by the mechanism in use. Interesting quote from RFC 2617: "Both Digest and Basic Authentication are very much on the weak end of the security strength spectrum. But a comparison between the two points out the utility, even necessity, of replacing Basic by Digest. "The greatest threat to the type of transactions for which these protocols are used is network snooping." > wrt digest authentication, it would be nice to have it work for proxy > connections as well. so far, wget supports only basic authentication > for HTTP proxies (no NTLM authentication either). Yes. That's on my list. :) >> - There was a report to the mailing list that user:pass information >> was being sent in the Referer header. I didn't see any further >> activity on that thread, and haven't yet had the opportunity to >> confirm this; it may be an old, fixed issue. However, if it's true, >> I would consider this to be a show-stopper. > > yes, we need to check that. > > >> I expect that both of these issues would require very small effort >> to resolve. > > don't be so sure about it ;-) Wrt the first, isn't all we need to do simply to move the "basic" mechanism down by the "digest" mechanism, where we handle the case that auth failed? Wrt the second, a small snip from the URL should be all that's necessary (along with whatever allocation/deallocation requirements that brings). - -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGgqBT7M8hyUobTrERCD5bAJ9Lj1PKMJXtJrgOB/T+dLp83s/LdwCfdKin R2v6nWvL7PUUt9xkAkxUUzY= =Leol -----END PGP SIGNATURE-----