[Cryptography] Basic auth a bit too basic
Kevin W. Wall
kevin.w.wall at gmail.com
Sat Feb 6 17:19:46 EST 2016
On Sat, Feb 6, 2016 at 1:46 PM, John Levine <johnl at iecc.com> wrote:
>>Someone just pointed out an interesting problem with HTTP basic auth,
>>published in 1999 as RFC 2617 and updated 15 years later as RFC 7617: It's an
>>HTTP version of Hotel California, you can log in but you can never leave
>
> This problem, known in North America as a "roach motel" has been well
> known as long as I've been messing with web sites.
>
> It would be technically straightforward for browsers to have a logout
> button that forgets the auth credentials for the current page, or to
> invent an HTML meta tag that tells browsers to forget auth credentials
> for the current page's domain (give or take the same cross-domain
> issues with cookies.) The fact that nobody's done either suggests
> that it's not a big problem in practice.
>
> Also note that you can log out reliably by exiting and restarting your
> browser, which is a pain but not that big a pain.
In Mozilla Firefox you can do this--sort of. Menu item under
History --> Clear Recent History --> Active Logins (under Details)
It works, but just is not very selective as this kills all "active logins" over
some time range (the shortest being the "last hour"). I use it occasionally
with IPCop. There's a keyboard shortcut to the 'Clear Recent History'
(Ctrl-Shif-Del), but it still totally flunks from a usability perspective.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
More information about the cryptography
mailing list