Closed Bug 239735 Opened 20 years ago Closed 20 years ago

add kerberos mutual auth support to the negotiateauth extension

Categories

(Core :: Networking, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX
mozilla1.8beta1

People

(Reporter: darin.moz, Assigned: darin.moz)

References

Details

(Keywords: helpwanted)

Attachments

(1 file)

add kerberos mutual auth support to the negotiateauth extension.

see bug 239734 and bug 17578 for more info.
Status: NEW → ASSIGNED
Keywords: helpwanted
Target Milestone: --- → Future
The patch adds an additional parameter to
nsIHttpAuthenticator::generateCredentials which can be used to indicate that
the server must supply additional data, and a field to nsHttpChannel which is
used to keep track of this state.  Initially, this flag is false, but is set to

true if gss_init_sec_context returns GSS_C_CONTINUE_NEEDED.  If a 2xx or 3xx
response is received (I'm not certain whether or not the spec requires this,
but mod_auth_kerb is happy to perform mutual auth for a redirect), the flag is
checked.  Handling of errors is very rough, so it still needs work.  While it
works for me, I'm not familiar enough with mozilla to know if this is even the
best way to fix it, so comments would be great.
Target Milestone: Future → mozilla1.8alpha2
Blocks: 250014
IE doesn't process mutual auth responses (although it does ask for them).

I don't yet see why mutual auth is a security benefit.  I do see that it will
occationally annoy the user if a web server is misconfigured. If you are in an
environment which spoofing might happen and you are worried about it, require
SSL, if you are not that worried about security mutual auth support will add
very little security and if users ever assume it does add security, they will
probably overestimate its value and it will give them a false sense of security.

Kerberos Mutual auth as implemented in HTTP does not protect a user against Man
in the middle attacks and it does not prevent web site spoofing. If I were an
attacker I would just not require authentication, why would a user notice? Or if
I did want the user to authenticate, I would just ask the user for their
password.  User's would probably just suspect their KDC was down or mozilla has
a bug and enter it anyway.
Target Milestone: mozilla1.8alpha2 → mozilla1.8beta
(In reply to comment #2)
> IE doesn't process mutual auth responses (although it does ask for them).
> 
> I don't yet see why mutual auth is a security benefit.  I do see that it will
> occationally annoy the user if a web server is misconfigured. If you are in an
> environment which spoofing might happen and you are worried about it, require
> SSL,

That's actually the problem mutual authentication is meant to solve.  If you
already have a Kerberos infrastructure in place, you shouldn't need to also use
SSL to avoid that.  But then you don't get confidentiality, even with mutual
authentication, so it may not buy much.
> That's actually the problem mutual authentication is meant to solve.  If you
> already have a Kerberos infrastructure in place, you shouldn't need to also use
> SSL to avoid that.   

Kerberos itself can solve this problem but MS's implementation we are mimicking
can't.  If I set up a fake web server and you hit it, I can set my attack server
up to act as a proxy server.  I will send your gss-init-sec-context blob to the
server you think you are hitting, they will respond with the proper
gss-accept-sec-context token, and I will forward it back to you. Your machine
will know that mutual auth succeeded but since their is no bindinging between
the auth tokens and the data, I can read or change the data in transit.
Nalin, Christopher: So, what should we do with this bug / patch?
Attachment #145547 - Flags: review?(darin)
marking WONTFIX based on my conversation with nalin today.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: