nanog mailing list archives

Re: mail admins?

From: Michael Thomas <mike () mtcc com>
Date: Mon, 27 Apr 2020 09:39:22 -0700


On 4/27/20 8:35 AM, William Herrin wrote:

On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas <mike () mtcc com> wrote:

On 4/26/20 8:39 PM, Matt Palmer wrote:

On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:

Which exactly zero deployment. And you need to store the plain-text password
on the server side. What could possibly go wrong?

But you said that *passwords on the wire* were the biggest problem.  Digest
auth solves that.  Also, you don't have to store the plain-text password.

Correct. You need only store the realm/user/password digest. The chief
problem with digest authentication is that the web site has no control
over the UI. Among the many issues, this makes it tricky to reliably
capture a digest in the first place without the server at least
briefly knowing the password. I don't know if webauthn corrects this
or makes similar blunders.

Webauthn corrects this by not using passwords at all. It uses public keycrypto which has the nice property that the thing that the serverremembers is, um, public. A compromise of public keys -- unlike unsaltedpassword hashes in the LinkedIn case -- does no harm. That was theinsight that Paul, Steven and I had with RFC 7486 back in 2012, as wemashed together two different ways going about that in our experimentalrfc.

I'll stand by my initial stance: passwords over the wire remain thelargest security hole on the net because their reuse means you only haveto target the weakest sites to harvest them. Worse, you can create anactive attack to get people to just give you their passwords by settingup some interesting site that requires an account whose actual purposeis to harvest passwords. Digest does exactly nothing to deal with thatproblem.


Also, says wikipedia about digest:


     Disadvantages[edit
     <https://en.wikipedia.org/w/index.php?title=Digest_access_authentication&action=edit&section=5>]

There are several drawbacks with digest access authentication:

 * The website has no control over the user interface presented to the
   end user.
 * Many of the security options inRFC 2617
   <https://tools.ietf.org/html/rfc2617>are optional. If
   quality-of-protection (qop) is not specified by the server, the
   client will operate in a security-reduced legacyRFC 2069
   <https://tools.ietf.org/html/rfc2069>mode
 * Digest access authentication is vulnerable to aman-in-the-middle
   (MITM) attack
   <https://en.wikipedia.org/wiki/Man-in-the-middle_attack>. For
   example, a MITM attacker could tell clients to use basic access
   authentication or legacy RFC2069 digest access authentication mode.
   To extend this further, digest access authentication provides no
   mechanism for clients to verify the server's identity
 * Some servers require passwords to be stored using reversible
   encryption. However, it is possible to instead store the digested
   value of the username, realm, and password^[5]
   <https://en.wikipedia.org/wiki/Digest_access_authentication#cite_note-5>

 * It prevents the use of a strong password hash (such asbcrypt
   <https://en.wikipedia.org/wiki/Bcrypt>) when storing passwords
   (since either the password, or the digested username, realm and
   password must be recoverable)

So my memory doesn't seem to be completely wrong here. It's been agessince I've thought about digest.


I can't speak to Steven, Paul, the w3c or any other non-posters to
this thread that you wish to employ in an appeal to authority fallacy
but with due respect, I think you hold a myopic view of network
security. For better or worse, security is a zero-sum game. The budget
stays proportional to the value of the asset being protected. When you
spend it on low-impact improvements you don't have it for the many
improvements with a higher impact than whether a web site knows the
password you chose for that web site.

With webcrypto, you can do whatever you want these days, and usewhatever UI you want. Webauthn is primarily about replacing user-facingpasswords from what I can tell, but it seems like it was completelyinformed by crypto dongles and the business of selling them. While thatmight be fine for high value network equipment, etc, it adds a hugeamount of complexity in what otherwise is a pretty straightforward useof public key cryptography: user enrolls their public key into theserver auth backend (bound to some identity), you log in by the serversending you a nonce, etc which the browser signs with the correspondingpublic key which the server verifies. Done. Maybe I should do this againnow that webcrypto is here instead of my janky javascriptimplementation. Trying to get webauthn to work with just localcredentials was like pulling teeth and frighteningly complex forsomething that should be pretty straightforward. It would extremelydisheartening if the best was the enemy of the good.


Mike

Current thread:

Re: mail admins?, (continued)
- - - Re: mail admins? Michael Thomas (Apr 24)
    - Re: mail admins? Raymond Burkholder (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Rich Kulawiec (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 26)
    - Re: mail admins? Matt Palmer (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 26)
    - Re: mail admins? Matt Palmer (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 27)
    - Re: mail admins? William Herrin (Apr 27)
    - Re: mail admins? Michael Thomas (Apr 27)