Implementation Proposal for Mutual HTTP authentication protocol




Networking: HTTP
8 years ago
2 years ago


(Reporter: Yutaka OIWA, Assigned: Yutaka OIWA)


Firefox Tracking Flags

(Not tracked)



(2 attachments, 2 obsolete attachments)



8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; ja; rv: Gecko/2009101600 Firefox/3.0.15
Build Identifier: 

This patch is to implement HTTP Mutual access authentication protocol,
which we are currently proposing to IETF HTTP Working group.

Mutual authentication protocol is a protocol which implements
password-based strong access authentication.  This protocol provides
true mutual authentication between HTTP clients and servers using
simple password-based authentication.  It is designed on top of
generic HTTP authentication architecture (RFC 2617).

Unlike Basic and Digest HTTP access authentication protocol, the
protocol ensures that the server knows the user's entity (encrypted
password) upon successful authentication.  This prevents common
phishing attacks: phishing attackers cannot convince users that the
user has been authenticated to the genuine website. Furthermore, even
when user has been authenticated against an illegitimate server, the
server can not gain any bit of information about user's passwords.

Currently, the draft protocol specification is submitted to the
IETF as an Internet Draft;  it is available both from IETF and
from our project homepage.  We also have an Apache module for this
protocol, which can be downloaded from our project page.
For trial, we put an implementation of Firefox with this patch
applied in our project page, too.

This patch consists of three parts:

  1. an extension to the C-language part of network-layer
     implementation, adding interfaces for implementing (2) below.
     To implement authentication in an add-on layer, we need several
     additional interfaces for communication between them
     (e.g. session management and hooks).

     Current our implementation is somewhat specific to our protocol:
     we think it can be generalized.

  2. an add-on module implemented in XPI layer for the Mutual
     authentication protocol.  Most of the work is done in this
     level.  Cryptographic computations are done in a DLL in
     this module.

  3. a new user interface for authentication.  To ensure (a) the
     authentication UI is not affected by the page content from
     malicious phishers, and (b) to show the result of a mutual
     authentication, we propose a new UI for this, separately from
     conventional authentication methods.  We also use this UI for
     supporting non-modal optional authentication (see specs for

To implement this protocol, at least part 1 (or generalized one)
have to be incorporated to the main code of the Mozilla browsers.
Other parts can either be built-in or be an add-on.

This proposal will be an answer for several existing bug IDs for
phishing and authentication issues:  further information is
posted on a web page specific for this bug-id:
This page contains the following resources:

  - links to related bug IDs
  - possible things to be considered (known issues)
  - materials (posters and paper abstracts) describing the proposed
    protocol and UI design
  - link to the trial implementation and trial website
  - more things to be added...

We believe the protocol is useful, and ask considerations for
including this to future (e.g. 3.7 or 4.0?) releases of Firefox.

Reproducible: Always

Comment 1

8 years ago
Created attachment 415413 [details] [diff] [review]
A patch to the network portion of the main Mozilla code.

Comment 2

8 years ago
Created attachment 415414 [details] [diff] [review]
The extension part which implements the protocol.
Assignee: nobody → y.oiwa
Ever confirmed: true

Comment 3

8 years ago
A bug on cache management, which has been found during implementing these patches,
has been submitted as a separate bug 533412.
That bug affects both existing (Basic/Digest) and new authentication mechanisms,
if 401 response bodies are processed as documents.

As this proposal always processes 401 responses when user/pass are not available,
the bug 533412 "must" be fixed for this bug-id.  (for Basic/Digest, it SHOULD.)
I added that bug as a dependency.

The patch above contains a partial workaround for bug 533412,
which is to be removed once that is fixed.
Depends on: 533412

Comment 4

6 years ago
Created attachment 538896 [details] [diff] [review]
A patch to the network portion of the main Mozilla code.

A patch to the network portion of the main Mozilla code.
Obsoletes attachment 415413 [details] [diff] [review].

Comment 5

6 years ago
Created attachment 538897 [details] [diff] [review]
The extension part which implements the protocol.

The extension part which implements the protocol.
Obsoletes attachment 415414 [details] [diff] [review].

Comment 6

6 years ago
These patches (538896 and 538897) are for Firefox 3.6.17.


6 years ago
Attachment #415413 - Attachment is obsolete: true


6 years ago
Attachment #415414 - Attachment is obsolete: true
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.