I have, for various reasons to be revealed at a later date, been looking good and hard at HTTP authentication such as RFC 2617 and such. The situation is really quite apalling and at times I feel like I've wandered into a bad pardoy of Monty Python's The Cheese Shop Sketch.
(a customer walks in the door.) Customer: Good Morning. Owner: Good morning, Sir. Welcome to the National HTTP Authentication and Cookie Emporium! Customer: Ah, thank you, my good man. Owner: What can I do for you, Sir? C: Well, I was, uh, sitting in the public library on Thurmon Street just now, putting the two-point-oh on my web application, and I suddenly came over all unfettered. O: Unfettered, sir? C: Insecure. O: Eh? C: 'Eee, Ah wus like, all me stuff is 'anging out on the internets unprotected! O: Ah, unprotected! C: In a nutshell. And I thought to myself, "a little cryptographic challenge-response will do the trick," so, I curtailed my two-point-oh'ing activites, sallied forth, and infiltrated your place of purveyance to negotiate the vending of some transport substantiation! O: Come again? C: I want to buy some HTTP Authentication. O: Oh, I thought you were complaining about the bazouki player! C: Oh, heaven forbid: I am one who delights in all manifestations of the Terpsichorean muse! O: Sorry? C: 'Ooo, Ah lahk a nice tuune, 'yer forced too! O: So he can go on playing, can he? C: Most certainly! Now then, some Auth please, my good man. O: (lustily) Certainly, sir. What would you like? C: Well, eh, how about a little Basic. O: I'm, a-fraid you won't like the Basic, sir. C: Really, and why do you say that? O: Using Basic authentication is like running around without any pants on with your name and password embroidered on your boxer shorts. C: And how is that? O: Well it's not much protection and its rather uncomfortable on everyone that sees you doing it. Maybe I can interest you in a cookie? C: Oh, never mind, how are you on Digest? O: Ah! We have Digest, yessir. C: (suprised) You do! Excellent. O: What kind do you want? C: What kind of Digest? O: Yes, you get to choose, lot's of variants of Digest. O: Yessir. It's..ah,...it's a bit full of options...dribbbling over with them if you will.. C: Oh, I like options. O: Well,.. It's very option-ny, actually, sir. C: No matter. I'll take Digest MD5-sess. O: Oooooooooohhh........!
C: What now? O: Apache's eaten it. C: Has he. O: It, sir. (pause) C: Digest auth-int? O: No. C: Digest SHA? O: No. C: You...do *have* some HTTP Authentication, don't you? O: (brightly) Of course, sir. It's an HTTP Authentication shop, sir. We've got-- C: No no... don't tell me. I'm keen to guess. O: Fair enough. C: Digest MD5? O: Yes. C: Really?! O: Yes, but it's a bit banged up. C: Banged up? How does an Auth get banged up? O: You see, he's had his 'int' knocked off, MD5 only works with auth, not auth-int. C: Apache again? O: No, no no, everyone knocks the 'int' off these days, kinda like a tradition in these parts. C: Any other blemishes on this MD5 I should know about. O: No. no. no. well..... did you want query parameters with that? C: (resigned) What about the query parameters? O: Oh, those are carefully removed before shipping by Internet Explorer. C: So if I can summarize, you are offering me a moldy bit of Digest MD5 with the the 'int' knocked off, and even if I do get this working, I can't use query parameters because of Internet Explorer? O: Shall I wrap it up for you, sir? C: No! That's completely unacceptable. O: May I interest you in a cookie? C: Stop it with the cookies. Is that all the HTTP Auth you have? It's not much of a HTTP Authentication shop, is it? O: Finest in the district! C: (annoyed) Explain the logic underlying that conclusion, please. O: Well, it's so clean, sir! C: It's certainly uncontaminated by interop.... O: (brightly) You haven't asked me about WSSE, sir. C: Would it be worth it? O: Could be.... C: Have you --SHUT THAT BLOODY BAZOUKI OFF! O: Told you sir.... C: (slowly) Have you got any WSSE? O: Yes. C: Really? O: Well... it's not really an HTTP Authentication. C: I'll take it. O: Actually, it's a bit of something that cat coughed up this morning. Doesn't even work with any browsers. C: Will it at least protect me from man-in-the-middle attacks? O: No sir, none of them will do that. C: Figures. Predictable, really I suppose. It was an act of purest optimism to have posed the question in the first place. Tell me: O: Yessir? C: (deliberately) Have you in fact got any HTTP Authentication here at all that will protect my password and ensure the integrity of my bits as they ply the byways of the intenet? O: Yes, sir. C: Really? (pause) O: No. Not really, sir. C: You haven't. O: Nosir. Not a scrap. I was deliberately wasting your time, sir. C: Well I'm sorry, but I'm going to have to shoot you. O: Right-0, sir. The customer takes out a gun and shoots the owner. C: What a senseless waste of human life.
I am not making any of this stuff up. Basic is not really an option since it transmits your name and password unencrypted. Yes, it encodes it as base64, but that's not encryption. Apache 2.0 does not do 'auth-int'. While Python's urllib2 claims to do MD5-sess, Apache does not implement it correctly. In addition looking at the code of urllib2 it supports algorithm=SHA, but there's no mention of that as an option in RFC 2617. WSSE isn't really specified for plain HTTP; it was originally designed for WS-Security and unofficially ported to HTTP; the definitive reference is an XML.com article, and while an august publication, it hardly ranks up there with the IETF or W3C.
There are some bright spots: on Apache 2.0.51 or later you can get IE and Digest to work by using this directive:
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Now before you start telling me to use TLS please realize that I, like many other people, use a shared hosting account; even if I wanted to shell out the money to buy a certificate I wouldn't be able to set up TLS for my site.
And don't even get me started on how browsers handle authentication and how web designers have conniption fits because they can't control the look and feel of the default pop-up dialog that prompts you for your name and password when you use Basic or Digest.
For further reading you may want to check out this
W3C note from 1999 (!) User Agent Authentication Forms.
In addition the WHATWG's Web Applications 1.0 specification lists
Better defined user authentication state handling. (Being able to "log out" of sites reliably, for instance, or being able to integrate the HTTP authe
Are you sad, disgusted and exasperated? If so then you might be in the right state of mind to join the Ietf-http-auth mailing list and help us get out of this mess. In the mean time, would you like a cookie?
Update: Karl Dubost wrote to point out these items as further reading: Common HTTP Implementation Problems and Minutes of Tag F2F Afternoon of 20 Sept. 2005