Re: httptunnel

[Wyllys Ingersoll <wyllys () reston wcom net>]

On Wed, Mar 24, 1999 at 11:26:28AM -0500, youngk () ttc com wrote:
> > We currently do not use proxy authentication for HTTP requests
> > which originate internally.  May change that.  I presume that
> > that could help thwart a covert trojan program trying to get
> > out w/ HTTP.  Thoughts?
>
> Simple... just have the trojan horse wait a couple of seconds after
> Netscape/IE is opened. By that time, the user would have authenticated with
> the firewall. Since most people have a time window before they have to
> re-authenticate, the trojan horse would be able to run during this time.
> Even single-use password systems would be vulnerable due to that time
> frame.

I dont think this is correct.  When a proxy requests "proxy authentication"
credentials from a client, that client will send the authentication
header to the proxy with every single request it sends from that point
on (or until the user changes the proxy settings).  Waiting a couple
of seconds and then trying to send an unauthenticated request will
just make the proxy ask for it again, it will not pass it through.

> Only firewalls which authenticate every time you retrieve a file from
> outside the domain which you authenticated against would be safe. However,
> I think that due to the fact that many web pages now have links to graphics
> on advertisement networks (which would cause you to re-authenticate several
> times as it downloads the different graphics), very few people have this
> kind of setup.

Any firewall or non-firewall proxy that does true HTTP Proxy-Authentication
will require the "Proxy-Authorization:" header field be in every
request, that is how it is defined by the HTTP RFC.  A truly secure
proxy should not be caching the credentials and allowing unauthenticated
requests to go thru.  

--
 Wyllys Ingersoll                    
 UUNET (MCI Worldcom)
 Reston, VA