[Cryptography] Basic auth a bit too basic

Sun Feb 7 11:56:33 EST 2016

On Sat, Feb 6, 2016 at 10:58 PM, John Gilmore <gnu at toad.com> wrote:
>>> It would be technically straightforward for browsers to have a logout
>>> button that forgets the auth credentials for the current page, or to
>>> invent an HTML meta tag that tells browsers to forget auth credentials
>>> for the current page's domain (give or take the same cross-domain
>>> issues with cookies.)  The fact that nobody's done either suggests
>>> that it's not a big problem in practice.
>
> Well, the fact that Firefox hasn't done it means that the job has been
> outsourced to the a popular extension.  Cookie Monster has a menu item
> for it (pop-up menu -> View Cookies -> Delete Cookies for
> example.com).  It also lets you delete cookies more generally, as well
> as providing easy ways to set recurring policies like "For sites I
> haven't otherwise mentioned, never accept cookies", "Never accept
> cookies for the site I'm currently viewing", "Always turn all cookies
> into session cookies for this site", or "Accept cookies temporarily
> from this site, then after this session, go back to not accepting
> them."
>
> [Are there are any "auth credentials" other than cookies that are used
>  by more than a tiny fraction of web sites?]

The major one that I see is with company intranet sites using
Integrated Windows Authentication (SPNEGO, Kerberos, NTLM,
maybe others). IWA is an "always on" type of authentication.
The danger with that is there session timeout doesn't really protect
you from things like XSS and CSRF attacks because even if the
current session has timed out, you just get assigned a new session.

And even if you tell your browser "stop ending the Authentication:"
header for this particular site, it will automatically redo the negotiation
again. AFAIK, the only effective logout mechanism here is to kill your
browser.

> In general, Firefox maintainers seem to take the attitude that it's OK
> if Google, Facebook, and NSA can track you everywhere you go on the
> web.  Fixing that seems much less important to them than making sure
> that every website everywhere always works the way the third-party
> designers intended -- even when the designers were malevolent (or
> merely ignorant and manipulated by one of the big tracking companies).
> Extensions that plug into Firefox, like NoScript, Cookie Monster,
> Privacy Badger, Request Policy, RefControl, etc, are willing to break
> some web sites in return for giving the *end user* control over who is
> tracking them.

I think Firefox takes the assumption that if you are only concerned about
tracking, then you can use Private browsing windows and for anything
else, there are plug-ins or add-ons. This probably is a good thing as
Firefox is already extremely complex.

> Merely getting rid of your browser's Referer headers by default will
> eliminate a large amount of tracking, while breaking only a tiny
> number of sites (that require Referer to defend against cross-site
> scripting, a foolish idea since Referer lines are easy to spoof).

You probably meant CSRF rather than XSS. That is much more common,
although as you point out, still largely ineffective. As far as ditching the
Referer headers, it really doesn't seem to break all that much. I've seen
corporations with transparent proxies at least block Referer headers
pointing at their internal sites. So, if done judiciously--e.g., block the
Referer header unless it refers to the same site as the destination site,
it likely won't break anything.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.