Closed Bug 532127 Opened 12 years ago Closed 6 years ago

Implementation Proposal for Mutual HTTP authentication protocol


(Core :: Networking: HTTP, enhancement)

Not set





(Reporter: y.oiwa, Assigned: y.oiwa)




(2 files, 2 obsolete files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; ja; rv: Gecko/2009101600 Firefox/3.0.15
Build Identifier: 

This patch is to implement HTTP Mutual access authentication protocol,
which we are currently proposing to IETF HTTP Working group.

Mutual authentication protocol is a protocol which implements
password-based strong access authentication.  This protocol provides
true mutual authentication between HTTP clients and servers using
simple password-based authentication.  It is designed on top of
generic HTTP authentication architecture (RFC 2617).

Unlike Basic and Digest HTTP access authentication protocol, the
protocol ensures that the server knows the user's entity (encrypted
password) upon successful authentication.  This prevents common
phishing attacks: phishing attackers cannot convince users that the
user has been authenticated to the genuine website. Furthermore, even
when user has been authenticated against an illegitimate server, the
server can not gain any bit of information about user's passwords.

Currently, the draft protocol specification is submitted to the
IETF as an Internet Draft;  it is available both from IETF and
from our project homepage.  We also have an Apache module for this
protocol, which can be downloaded from our project page.
For trial, we put an implementation of Firefox with this patch
applied in our project page, too.

This patch consists of three parts:

  1. an extension to the C-language part of network-layer
     implementation, adding interfaces for implementing (2) below.
     To implement authentication in an add-on layer, we need several
     additional interfaces for communication between them
     (e.g. session management and hooks).

     Current our implementation is somewhat specific to our protocol:
     we think it can be generalized.

  2. an add-on module implemented in XPI layer for the Mutual
     authentication protocol.  Most of the work is done in this
     level.  Cryptographic computations are done in a DLL in
     this module.

  3. a new user interface for authentication.  To ensure (a) the
     authentication UI is not affected by the page content from
     malicious phishers, and (b) to show the result of a mutual
     authentication, we propose a new UI for this, separately from
     conventional authentication methods.  We also use this UI for
     supporting non-modal optional authentication (see specs for

To implement this protocol, at least part 1 (or generalized one)
have to be incorporated to the main code of the Mozilla browsers.
Other parts can either be built-in or be an add-on.

This proposal will be an answer for several existing bug IDs for
phishing and authentication issues:  further information is
posted on a web page specific for this bug-id:
This page contains the following resources:

  - links to related bug IDs
  - possible things to be considered (known issues)
  - materials (posters and paper abstracts) describing the proposed
    protocol and UI design
  - link to the trial implementation and trial website
  - more things to be added...

We believe the protocol is useful, and ask considerations for
including this to future (e.g. 3.7 or 4.0?) releases of Firefox.

Reproducible: Always
Assignee: nobody → y.oiwa
Ever confirmed: true
A bug on cache management, which has been found during implementing these patches,
has been submitted as a separate bug 533412.
That bug affects both existing (Basic/Digest) and new authentication mechanisms,
if 401 response bodies are processed as documents.

As this proposal always processes 401 responses when user/pass are not available,
the bug 533412 "must" be fixed for this bug-id.  (for Basic/Digest, it SHOULD.)
I added that bug as a dependency.

The patch above contains a partial workaround for bug 533412,
which is to be removed once that is fixed.
Depends on: 533412
A patch to the network portion of the main Mozilla code.
Obsoletes attachment 415413 [details] [diff] [review].
The extension part which implements the protocol.
Obsoletes attachment 415414 [details] [diff] [review].
These patches (538896 and 538897) are for Firefox 3.6.17.
Attachment #415413 - Attachment is obsolete: true
Attachment #415414 - Attachment is obsolete: true
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.