[Cryptography] Basic auth a bit too basic
Peter Todd
pete at petertodd.org
Sat Feb 6 16:47:13 EST 2016
On Sat, Feb 06, 2016 at 06:46:00PM -0000, John Levine wrote:
> >Someone just pointed out an interesting problem with HTTP basic auth,
> >published in 1999 as RFC 2617 and updated 15 years later as RFC 7617: It's an
> >HTTP version of Hotel California, you can log in but you can never leave
>
> This problem, known in North America as a "roach motel" has been well
> known as long as I've been messing with web sites.
>
> It would be technically straightforward for browsers to have a logout
> button that forgets the auth credentials for the current page, or to
> invent an HTML meta tag that tells browsers to forget auth credentials
> for the current page's domain (give or take the same cross-domain
> issues with cookies.) The fact that nobody's done either suggests
> that it's not a big problem in practice.
>
> Also note that you can log out reliably by exiting and restarting your
> browser, which is a pain but not that big a pain.
Also, if you log in with a private window Firefox at least forgets the
auth when you close that window.
But yeah, 100% agree that log-out buttons are needed at minimum.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
000000000000000008320874843f282f554aa2436290642fcfa81e5a01d78698
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 650 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160206/91e1114f/attachment.sig>
More information about the cryptography
mailing list