Problems with HTTP Authentication Interop

Joe Gregorio

I have, for various reasons to be revealed at a later date, been looking good and hard at HTTP authentication such as RFC 2617 and such. The situation is really quite apalling and at times I feel like I've wandered into a bad pardoy of Monty Python's The Cheese Shop Sketch.

(a customer walks in the door.)

Customer: Good Morning.
Owner:    Good morning, Sir.  Welcome to the National HTTP 
          Authentication and Cookie Emporium!
Customer: Ah, thank you, my good man.
Owner:    What can I do for you, Sir?
C: Well, I was, uh, sitting in the public library on Thurmon 
   Street just now, putting the two-point-oh on my web 
   application, and I suddenly came over all unfettered.
O: Unfettered, sir?
C: Insecure.
O: Eh?
C: 'Eee, Ah wus like, all me stuff is 'anging out on the 
   internets unprotected!
O: Ah, unprotected!
C: In a nutshell.  And I thought to myself, "a little cryptographic
   challenge-response will do the trick," so, I curtailed my 
   two-point-oh'ing activites, sallied forth, and infiltrated your 
   place of purveyance to negotiate the vending of some transport 
O: Come again?
C: I want to buy some HTTP Authentication.
O: Oh, I thought you were complaining about the bazouki player!
C: Oh, heaven forbid: I am one who delights in all manifestations 
   of the Terpsichorean muse!
O: Sorry?
C: 'Ooo, Ah lahk a nice tuune, 'yer forced too!
O: So he can go on playing, can he?
C: Most certainly!  Now then, some Auth please, my good man.
O: (lustily) Certainly, sir.  What would you like?
C: Well, eh, how about a little Basic.
O: I'm, a-fraid you won't like the Basic, sir.
C: Really, and why do you say that?
O: Using Basic authentication is like running around without any 
   pants on with your name and password embroidered on your 
   boxer shorts.
C: And how is that?
O: Well it's not much protection and its rather uncomfortable on 
   everyone that sees you doing it. Maybe I can interest you 
   in a cookie?
C: Oh, never mind, how are you on Digest?
O: Ah!  We have Digest, yessir.
C: (suprised) You do!  Excellent.
O: What kind do you want?
C: What kind of Digest?
O: Yes, you get to choose, lot's of variants of Digest.
O: Yessir.  It's..ah,'s a bit full of options...dribbbling over 
   with them if you will..
C: Oh, I like options.
O: Well,.. It's very option-ny, actually, sir.
C: No matter. I'll take Digest MD5-sess.
O: Oooooooooohhh........!   
C: What now?
O: Apache's eaten it.
C:     Has he.
O: It, sir.
C: Digest auth-int?
O: No.
C: Digest SHA?
O: No.
C: *have* some HTTP Authentication, don't you?
O: (brightly) Of course, sir.  It's an HTTP Authentication shop, sir.  
   We've got--
C: No no... don't tell me.   I'm keen to guess.
O: Fair enough.
C: Digest MD5?
O: Yes.
C: Really?!
O: Yes, but it's a bit banged up.
C: Banged up? How does an Auth get banged up?
O: You see, he's had his 'int' knocked off, MD5 only works 
   with auth, not auth-int.
C: Apache again?
O: No, no no, everyone knocks the 'int' off these days, kinda like a 
   tradition in these parts.
C: Any other blemishes on this MD5 I should know about.
O: No. no. no. well..... did you want query parameters with that?
C: (resigned) What about the query parameters?
O: Oh, those are carefully removed before shipping by Internet 
C: So if I can summarize, you are offering me a moldy bit of 
   Digest MD5 with the the 'int' knocked off, and even if I do get 
   this working, I can't use query parameters because of Internet 
O: Shall I wrap it up for you, sir?
C: No! That's completely unacceptable.
O: May I interest you in a cookie?
C: Stop it with the cookies. Is that all the HTTP Auth you have? 
   It's not  much of a HTTP Authentication shop, is it?
O: Finest in the district!
C: (annoyed) Explain the logic underlying that conclusion, please.
O: Well, it's so clean, sir!
C: It's certainly uncontaminated by interop....
O: (brightly) You haven't asked me about WSSE, sir.
C: Would it be worth it?
O: Could be....
O: Told you sir....
C: (slowly) Have you got any WSSE?
O: Yes.
C: Really?
O: Well... it's not really an HTTP Authentication.
C: I'll take it.
O: Actually, it's a bit of something that cat coughed up this
   morning. Doesn't even work with any browsers.
C: Will it at least protect me from man-in-the-middle attacks?
O: No sir, none of them will do that.
C: Figures.
   Predictable, really I suppose.  It was an act of purest optimism 
   to have posed the question in the first place.  Tell me:
O: Yessir?
C: (deliberately) Have you in fact got any HTTP Authentication 
   here at all that will protect my password and ensure the integrity 
   of my bits as they ply the byways of the intenet?
O: Yes, sir.
C: Really?
O: No.  Not really, sir.
C: You haven't.
O: Nosir.  Not a scrap.  I was deliberately wasting your time, sir.
C: Well I'm sorry, but I'm going to have to shoot you.
O: Right-0, sir.

The customer takes out a gun and shoots the owner.

C: What a senseless waste of human life.

I am not making any of this stuff up. Basic is not really an option since it transmits your name and password unencrypted. Yes, it encodes it as base64, but that's not encryption. Apache 2.0 does not do 'auth-int'. While Python's urllib2 claims to do MD5-sess, Apache does not implement it correctly. In addition looking at the code of urllib2 it supports algorithm=SHA, but there's no mention of that as an option in RFC 2617. WSSE isn't really specified for plain HTTP; it was originally designed for WS-Security and unofficially ported to HTTP; the definitive reference is an article, and while an august publication, it hardly ranks up there with the IETF or W3C.

There are some bright spots: on Apache 2.0.51 or later you can get IE and Digest to work by using this directive:

BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

Now before you start telling me to use TLS please realize that I, like many other people, use a shared hosting account; even if I wanted to shell out the money to buy a certificate I wouldn't be able to set up TLS for my site.

And don't even get me started on how browsers handle authentication and how web designers have conniption fits because they can't control the look and feel of the default pop-up dialog that prompts you for your name and password when you use Basic or Digest.

For further reading you may want to check out this W3C note from 1999 (!) User Agent Authentication Forms. In addition the WHATWG's Web Applications 1.0 specification lists Better defined user authentication state handling. (Being able to "log out" of sites reliably, for instance, or being able to integrate the HTTP authe

Are you sad, disgusted and exasperated? If so then you might be in the right state of mind to join the Ietf-http-auth mailing list and help us get out of this mess. In the mean time, would you like a cookie?

Update: Karl Dubost wrote to point out these items as further reading: Common HTTP Implementation Problems and Minutes of Tag F2F Afternoon of 20 Sept. 2005

comments powered by Disqus