Re: IE and cached passwords

[aleph1 () UNDERGROUND ORG (Aleph One)]

On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:
> The server gets to say, in the WWW-Authenticate challenge header field, for
> which "realm" it wants credentials (name+password). If both www.company.com
> and www.company.com:81 send the same realm, then the same password will
> continue to work.
>
> This behavior is as spec'd for HTTP Authentication, RFC 2617.
>
> So, it is not a security flaw.

Paul,

  That is false. Quoting RFC2617, Page 3:

   "The realm directive (case-insensitive) is required for all
   authentication schemes that issue a challenge. The realm value
   (case-sensitive), in combination with the canonical root URL (the
   absoluteURI for the server whose abs_path is empty; see section 5.1.2
   of [2]) of the server being accessed, defines the protection space.
   These realms allow the protected resources on a server to be
   partitioned into a set of protection spaces, each with its own
   authentication scheme and/or authorization database."

 Note that the client must use the combination of the canonical root URL
and the real value to decided if the protection space is the same. The
canonical root URL of a server in port 80 and a server in some other
port will be different (http://www.foo.com:80/ vs http://www.foo.com:81/),
so they indeed represent different protection spaces and IE is sending
the authentication messages in error.

 Now putting aside the spec, its silly to say that just because two
web servers run on the same host they are the same and they should
be trusted the same. On may be a companies official server. The other
may be that of a user with shell access to the server. You don't want
people accessing protected part of the company server to hand their
authentication credentials to the user now do you?

--
Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01